On Saturday 11 January 2003 12:12 am, Scott Fletcher wrote: > The only thing that is important to me is that the password get > encrypted before transmitting across the internet.
from other posts further in the thread it looks like you aren't ready to use https. that's too bad. that would really be the right solution. but since you must hash, one problem with hashing is, it is still necessary to have the hash vary from one invocation to another. otherwise, if the hash is the same every time the user logs in (i.e., if all you do is take the password and run it through md5), then anyone who can sniff the hash will be able to replay a login. unfortunately, if you want the hash to be different from one invocation to the next, then the password cannot be stored on the server as a one-way hash. instead, it would be either plaintext or encrypted on the server. this way, when you want to send the hash over the internet, instead of just hashing the password, you can generate a few extra characters. append (or prepend) the characters to the password. then hash the whole thing. then, when you send the hash over, send the extra characters too. on the server side, you would then take the password from the database (or wherever), decrypt it (if it's encrypted), append or prepend the extra characters, hash the whole thing, and compare the hashes. tiger -- Gerald Timothy Quimpo tiger*quimpo*org gquimpo*sni-inc.com tiger*sni*ph Public Key: "gpg --keyserver pgp.mit.edu --recv-keys 672F4C78" Veritas liberabit vos. Doveryai no proveryai. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php