dnabbrocks Posted February 29, 2012 Share Posted February 29, 2012 Hello. I've been trying to determine the best encryption method for passwords on my site. I've used sha1 as is in the book. Can you please explain why this is the best method, if you believe it is, for securing passwords on my site rather than md5 or crypt, etc? Thanks Link to comment Share on other sites More sharing options...
Jonathon Posted February 29, 2012 Share Posted February 29, 2012 I think it depends on the level of security you really need. Md5 has already been cracked I believe so I'd rule that out. Sha1 is a good alternative to md5 though. 1 Link to comment Share on other sites More sharing options...
Edward Posted February 29, 2012 Share Posted February 29, 2012 Sha1 as Sir Jonathon quoted, and using password hashing, that will give them a tough time. Link to comment Share on other sites More sharing options...
margaux Posted February 29, 2012 Share Posted February 29, 2012 SHA256 is an improvement on SHA1 if you want to be a bit tighter with your security Link to comment Share on other sites More sharing options...
dnabbrocks Posted March 1, 2012 Author Share Posted March 1, 2012 Thanks for the input. I've seen "crypt" to encrypt the passwords as well. Do you have any input on this? Thanks Link to comment Share on other sites More sharing options...
HartleySan Posted March 1, 2012 Share Posted March 1, 2012 Probably should add that (as Larry states in the book) there is a difference between encryption functions and hash functions. Encrypted information can be decrypted, so you'd probably want to encrypt things like credit card numbers, PIN numbers, etc., whereas things that have been hashed cannot be recovered. 1 Link to comment Share on other sites More sharing options...
Jonathon Posted March 1, 2012 Share Posted March 1, 2012 I nearly posted this last night. I agree! Link to comment Share on other sites More sharing options...
HartleySan Posted March 1, 2012 Share Posted March 1, 2012 Well, I almost didn't post it myself because I didn't want to sound all pedantic, but it seemed like important enough a distinction to make. Link to comment Share on other sites More sharing options...
Jonathon Posted March 2, 2012 Share Posted March 2, 2012 I decided not to, because it's often described as MD5 encryption, so it's easy to see why people think it's an encrypted password. Link to comment Share on other sites More sharing options...
dnabbrocks Posted March 2, 2012 Author Share Posted March 2, 2012 Agreed, and I am aware of the difference. I guess I'm looking for which I should be using. Now I'm trying to have the user changed their password, when I print the query the crypted password passing is not matching the password that was crypted when the user registered, and is already in the database. Link to comment Share on other sites More sharing options...
Jonathon Posted March 2, 2012 Share Posted March 2, 2012 I guess your code would help here. At a guess I'd say you're not hashing the original password and the stored hash Link to comment Share on other sites More sharing options...
Recommended Posts