News Feed
Sections




News Archive
Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Reddit.com:
Login Security (Best Practices Recommendations)
August 14, 2012 @ 12:20:08

On Reddit.com there's a good conversation going on in the PHP category about login security and best practices surrounding it.

So I was handed an ancient project which was up to me to fix / improve. About a week later I am about done but there is 1 thing I left...Login security. As it is now, it's just md5(password) that's saved in the database. Better then nothing, but far from good enough. My plan was to have a constant pepper in the class which handles the logins, then do something like crypt(pepper . $password) to store it, since that should generate a random salt and is slower then sha1 / md5 / etc. I feel this should be save enough, do any of you have any ideas on how to improve it (without non-standard extensions)?

There's lots of comments so far and a lot of them are following along the same lines - use a better method of encryption, something like crypt with Blowfish or something similar as well as some hashing (like HMAC).

0 comments voice your opinion now!
security password hash encrypt bestpractice discussion


blog comments powered by Disqus

Similar Posts

Marco Tabini\'s Blog: Security Is As Security Does

php[architect]: php[world] Conference: Five Amazing Keynotes

PHP Security Blog: Goodbye HTTP Response Splitting, and thanks for all the fish

Secunis.com: Travelsized CMS index.php Cross-Site Scripting Vulnerabilities

Dhiraj Patra's Blog: Writing Scalable Applications with PHP


Community Events

Don't see your event here?
Let us know!


opinion install unittest voicesoftheelephpant php7 laravel5 series language extension interview community laravel introduction api release library xdebug podcast example framework

All content copyright, 2015 PHPDeveloper.org :: info@phpdeveloper.org - Powered by the Solar PHP Framework