On Wed, Jul 8, 2009 at 10:44 AM, Andrew Ballard<aball...@gmail.com> wrote:
> On Wed, Jul 8, 2009 at 9:48 AM, Martin Scotta<martinsco...@gmail.com> wrote:
>> $sql = 'SELECT * FROM your-table WHERE username = \''. $username .'\'
>> and passwd = md5( concat( \'' . $username .'\', \'@\', \'' . $password
>> .'\'))';
>> I use this solution because md5 run faster in Mysql
>> --
>> Martin Scotta
> If you were running a loop to build a rainbow table or brute-force a
> password, I could see where that would matter. For authenticating a
> single user it seems like premature optimization to me. On my
> development machine, where PHP runs slow inside of the IDE, the
> average time to perform an md5 hash on a text string of 38 characters
> (much longer than most passwords) over 10000 iterations is around
> 0.00085 seconds. I can live with that. :-)  I still like handling the
> encryption in PHP and then passing the encrypted value to the database
> for storage/comparison.
> Andrew
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php

You shouldn't be using md5 or sha1 to hash passwords as both have been
attacked and successfully exploited.  There are other hashing
functions in PHP that you should use.  And FWIW, you WANT hashing to
be slow.  The faster it is, the less complicated the algorithm is
(assuming all implementations are equal), the more easy it is to
break.  And if you're storing hashed passwords as a means of

//somewhere where you can access it several places, like config.php
define('SALT', '2435kh...@#$@#14asdnaksa10=nsdf'); //random
characters, the longer and more random, the better.  If it was email
compatible, I'd have given a "real" salt read out of /dev/random at
some point, like you should be doing.

//prepare the password
$password = $_POST['password'] . SALT;
$password = hash('sha512', $password); //assume you've validated

//query the database to make sure the password is the right one
$stmt = $db->prepare('SELECT password FROM users WHERE user_name=?);
$stmt->bindParam(1, $password);
list($dbPass) = $stmt->fetch();
if($dbPass == $password) {
    echo 'success';
} else {
    echo 'failure';

The reason you salt passwords, especially with binary characters, is
that without knowing what the salt is, it's nearly impossible to
create a rainbow table and run rainbow table attacks on your database.
 It costs nearly nothing to do, in terms of resource usage and any
sort of human comprehensible scheme to store those hashes is easily
broken.  I've seen "{$user}{$randomCharacter}{$password}" used before,
and I'd never recommend something so simple.


PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to