Hi,
Can some body help out on how to validate user password from the database?
Thanks
Andrew
2009/2/9 Andrew Williams andrew4willi...@gmail.com:
Hi,
Hi,
Can some body help out on how to validate user password from the database?
There are several possibilities. This would be one.
?
$query = 'SELECT 1 from `usertable` where `name` = ' .
These days SHA should really be used instead of MD5, and you should be
SALTing the password as well.
Here's a great guide : http://phpsec.org/articles/2005/password-hashing.html
Michael Kubler
*G*rey *P*hoenix *P*roductions http://www.greyphoenix.biz
Jan G.B. wrote:
2009/2/9 Andrew Williams
2009/2/9 Michael Kubler mdk...@gmail.com:
These days SHA should really be used instead of MD5, and you should be
SALTing the password as well.
Here's a great guide : http://phpsec.org/articles/2005/password-hashing.html
Good advice. I would also advise against stripping and trimming
anything
2009/2/9 Stuart stut...@gmail.com:
2009/2/9 Michael Kubler mdk...@gmail.com:
These days SHA should really be used instead of MD5, and you should be
SALTing the password as well.
Here's a great guide : http://phpsec.org/articles/2005/password-hashing.html
Good advice.
Absolutley. I used
2009/2/9 Jan G.B. ro0ot.w...@googlemail.com:
2009/2/9 Stuart stut...@gmail.com:
I would also advise against stripping and trimming
anything from passwords. By removing characters you're significantly
reducing the number of possible passwords.
Surely, the stripping should only be done when
At 2:02 PM + 2/9/09, Stuart wrote:
2009/2/9 Michael Kubler mdk...@gmail.com:
These days SHA should really be used instead of MD5, and you should be
SALTing the password as well.
Here's a great guide : http://phpsec.org/articles/2005/password-hashing.html
Good advice. I would also
tedd,
I think that the problem of the duplicated hashes in the database
(in the case of two users using the same password) persists with a
constant prefix in the passwords. Although the random salt portion get
stored in the database concatenated to the hash, the attacker don't
know the string
At 12:20 PM -0300 2/9/09, Bruno Fajardo wrote:
tedd,
I think that the problem of the duplicated hashes in the database
(in the case of two users using the same password) persists with a
constant prefix in the passwords. Although the random salt portion get
stored in the database concatenated to
-Original Message-
From: tedd [mailto:tedd.sperl...@gmail.com]
Sent: Monday, February 09, 2009 10:30 AM
To: Bruno Fajardo
Cc: PHP General
Subject: Re: [PHP] php validate user password
At 12:20 PM -0300 2/9/09, Bruno Fajardo wrote:
tedd,
I think that the problem
At 10:41 AM -0600 2/9/09, Boyd, Todd M. wrote:
-Original Message-
From: tedd [mailto:tedd.sperl...@gmail.com]
Granted, there are things here that are above my head -- I am not
passing myself off as an expert but rather as someone proposing ideas
to see if they pass or fail.
I
2009/2/9 Stuart stut...@gmail.com:
2009/2/9 Jan G.B. ro0ot.w...@googlemail.com:
2009/2/9 Stuart stut...@gmail.com:
I would also advise against stripping and trimming
anything from passwords.
Trimming could be left out but it minimizes user errors and users
pretending to know their password.
onlist this time...
tedd wrote:
snip
I think the MD5() hash is a pretty good way and if the weakness is the
user's lack of uniqueness in determining their passwords, then we can
focus on that problem instead of looking to another hash. And besides,
the solution presented was to
Or, like the article suggested, a random portion for the hash... I
agree with you, Micah. The hash collision is a problem, and must be
avoided.
Same password hashes for different users are very good candidates for
a dictionary attack. Probably, in most of this cases, users picked
easy passwords,
14 matches
Mail list logo
