Encryption

[dnabbrocks]

Hello.

I've been trying to determine the best encryption method for passwords on my site. I've used sha1 as is in the book. Can you please explain why this is the best method, if you believe it is, for securing passwords on my site rather than md5 or crypt, etc?

Thanks

[Jonathon]

I think it depends on the level of security you really need. Md5 has already been cracked I believe so I'd rule that out. Sha1 is a good alternative to md5 though.

[Edward]

Sha1 as Sir Jonathon quoted, and using password hashing, that will give them a tough time.

[margaux]

SHA256 is an improvement on SHA1 if you want to be a bit tighter with your security

[dnabbrocks]

Thanks for the input. I've seen "crypt" to encrypt the passwords as well. Do you have any input on this?

Thanks

[HartleySan]

Probably should add that (as Larry states in the book) there is a difference between encryption functions and hash functions.

 

Encrypted information can be decrypted, so you'd probably want to encrypt things like credit card numbers, PIN numbers, etc., whereas things that have been hashed cannot be recovered.

[Jonathon]

I nearly posted this last night. I agree!

[HartleySan]

Well, I almost didn't post it myself because I didn't want to sound all pedantic, but it seemed like important enough a distinction to make.

[Jonathon]

I decided not to, because it's often described as MD5 encryption, so it's easy to see why people think it's an encrypted password.

[dnabbrocks]

Agreed, and I am aware of the difference. I guess I'm looking for which I should be using. Now I'm trying to have the user changed their password, when I print the query the crypted password passing is not matching the password that was crypted when the user registered, and is already in the database.

[Jonathon]

I guess your code would help here. At a guess I'd say you're not hashing the original password and the stored hash