Hi,
I am using PHP. I used to use native mysql function password() to store passwords. I was told that password() is not safe anymore. What would be the best method to store passwords in PHP? is it MD5?
Hi,
I am using PHP. I used to use native mysql function password() to store passwords. I was told that password() is not safe anymore. What would be the best method to store passwords in PHP? is it MD5?
You need to salt the password.
vBulletin does a pretty good job at storing passwords. md5(md5(password) + salt);
I recommend first prepending a salt value to your password, followed by hashing the resultant string with a reasonably strong hashing function like SHA256. This secures against the obvious (plain text passwords) and the not so obvious (attack using Rainbow tables).
Keep in mind that if you store passwords in this way, you will not be able to retrieve a user's lost password. They'll only be able to reset passwords. This is because you'll be using a one way hash. But this limitation is generally worth the tradeoff for a more secure password storage system. Even if your database is compromised, your user's passwords will still be exceedingly difficult and probably unpractical to recover by a would be attacker.
To argue with the the other answer, VBulletin does a horrid job of hashing passwords. Their salt is only 3 characters long, only fractionally increasing the security of your application.
Check out http://www.openwall.com/phpass/ . They do an excellent job of using a long hash, unique to each password, and running the password through md5 thousands of times. It is one of the best hashing systems for php out there.
If you can avoid storing the user password that's your best option, imo. Use OpenId (like Stackoverflow) to authenticate the user. Or Live Authentication (http://dev.live.com/liveid/). If you really, really need to authenticate the users yourself; do what Asaph says in his answer. :)