Richard Clark wrote: > As a general plea to everyone on-list, and not specifically to you, > please don't invent your own crypto systems for use in production. [ .. ] > Take the security of your users seriously. Do it properly. It doesn't > take long to implement a proper password function in comparison to a > cheap sha1(), and the security difference is significant.
http://www.openwall.com/phpass/ is a pretty solid library for password hashing (it does hashing as you describe plus key strengthening and embeds the hash and algorithm into the result for portability. Used by Drupal now. -- E|2 DIGITAL TIM OLIVER SOFTWARE ENGINEER P +64 3 377 0007 F +64 3 377 6582 E [email protected] www.e2digital.co.nz -- NZ PHP Users Group: http://groups.google.com/group/nzphpug To post, send email to [email protected] To unsubscribe, send email to [email protected]
