Here's a good article that I found recently that relates to this topic: http://benlog.com/articles/2008/06/19/dont-hash-secrets/
I'm definitely looking at the way that I store passwords differently now. Kind regards, Keri Henare --------------------------------------------------- CTO Pixel Fusion [e] [email protected] [m] (+64) 021 874 552 [p] (+64) 09 928 6040 [w] www.pixelfusion.co.nz On 1/02/2010, at 9:48 AM, aaron v1.4.10 wrote: > Yes Richard that's very good advice. I think the article highlights 2 > issues significant to us as devs > > 1) Enforcing stronger password validation > 2) Password encryption > > md5 and sh1 are out of date, they once were good practice. A lot of > people still think they are good practice (up to a few months ago I > was one of them). This is probably due to thousands of articles > showing it being used for password implementation. This is why I > belong to group like this one, to confer with others good practice. > (Lets not give php a bad name with bad coding). The sad thing is all > my projects still use md5 at the moment while I spend time reading all > the encryption articles to determine what to use, and hopefully not be > doing the same thing in the future when that method gets broken. > > Applied Cryptography by Bruce Schneier from end to end ... too long a > process I think. I guess what I'm asking is what function CAN I use to > make the nasties go away. I was thinking crypt, but there are some > mistakes that can be made to make it easier to crack. > > -- > NZ PHP Users Group: http://groups.google.com/group/nzphpug > To post, send email to [email protected] > To unsubscribe, send email to > [email protected] -- NZ PHP Users Group: http://groups.google.com/group/nzphpug To post, send email to [email protected] To unsubscribe, send email to [email protected]
