Hi,
Having read this article and many others out there on how to not store passwords in databases and cookies, I'm wondering now how I should do it...
What I've come up so far (after reading around a bit) is taking the clear-text user password, padding it with salt till it fills up 512 bits (64 bytes => 64 chars, since the page is non-unicode), and then doing
$pwhash = hash('sha512', $saltedpw);
for ($i=0; $i<1000; $i++)
$pwhash = hash('sha512', $pwhash);
Then I would store (UserName, HashedPw, Salt) in the database, but what do I do about the cookie (to identify users that want to stay loogend-on after the session has expired)?