SHA1 is just as easy to crack now, apparently. Salted SHA256 is the
way to go, perhaps something like
$pwd = $_POST['pwd'];
$salt = sha1(md5($pwd);
$encrypted = hash('sha256', $pwd.$salt);
Noone's going to be able to use a reverse lookup to get the original
password, if they do get into your database, and if anyone can see
your code to see how you mixed things up, you've lost anyway, but I'd
be interested to see how others do this.
Steve
On Jan 31, 5:15 am, "aaron v1.4.10" <[email protected]> wrote:
> That was really interesting. Did you have a link to a list for the top
> 1000 passwords?
>
> On the topic of passwords, now that md5 can be cracked in seconds, I
> guess using SHA1 is now considered best practice. Perhaps it's time to
> have a password weakness feature (code anyone?)
--
NZ PHP Users Group: http://groups.google.com/group/nzphpug
To post, send email to [email protected]
To unsubscribe, send email to
[email protected]
