I am creating a custom CMS and have built a login system and was wandering how vulnerable hashing the passwords this way would be compared to just using the md5 php function like this:
<?php $token = md5($salt . $password . $pepper); ?>
Most people just add a salt but adding pepper just makes sense if your going to add salt :)
Here is how I am doing it
<?php $token = hash_hmac('sha512', $salt . $password . $pepper, $key); ?>
The $key would be a value in the database that is unique to each user. The $salt and the $pepper are randomly generated strings. The $password is the password of course.
Added on 07/24/09
Thanks for all your responses. Does anyone have an examples of how they do a hash script for creating passwords to store in a database?