On PHPMaster.com there's a new tutorial that wants to help you keep your application and users a bit safer - a guide to password hashing for PHP applications.

You must always think about security. If passwords are stored in plain text, what happens if an attacker gains access to your database? He can easily read all of the users' passwords. That's why we use a technique called password hashing to prevent attackers from getting user passwords. In this article you'll learn how to store the passwords securely in the database so that, even if your database falls into wrong hands, no damage will be done.

He starts off describing what password hashing is and why it's important (and better than it's plain-text alternative). He gives some examples of using some of the built-in hashing functions PHP has to offer to generate the hashes. He starts with md5/sha1 (note, these are not recommended) but moves into more effective options like sha256, salted hashing and even bcrypting passwords with crypt.

Be sure to check out the comments for other security concerns and links to suggested tools and resources.

On the DeveloperDrive.com site today there's a new post with five easy steps you can take to help increase the security of your PHP-based applications.

For many years, PHP has been a stable, inexpensive platform on which to operate web-based applications. Like most web-based platforms, PHP is vulnerable to external attacks. Developers, database architects and system administrators should take precautions before deploying PHP applications to a live server. Most of these techniques can be accomplished with a few lines of code or a slight adjustment to the application settings.

The five tips they list range from general "best practice" kinds of things to a bit more specific:

• Manage Setup Scripts
• Include Files (using ".php" not ".inc")
• MD5 vs. SHA
• Automatic Global Variables (no longer an issue in recent releases, 5.4.x)
• Initialize Variables and Values

In this new post Joseph Scott takes a look at hashing in PHP, specifically around md5 hashes, and a better alternative (that's also more secure.

The majority of the Coding Horror: Speed Hashing post talks about speed based on MD5. [...] If you are still using MD5 to hash passwords (or worse, aren't hashing passwords at all) then please stop and go use bcrypt. For those using PHP phpass is a great option.

He talks about the crypt method, how its encryption method and "cost" value effects the speed and how difficult it would be to generate all possible hashes for a password (hint: crypt with a cost of 13 is worlds better than md5).

In a quick note from the PHP.net site, they have a warning for those running PHP 5.3.7 (the most recent release) - there's a bug that's serious enough (with crypt) to where upgrades should probably wait until 5.3.8.

Due to unfortunate issues with 5.3.7 (see bug#55439) users should wait with upgrading until 5.3.8 will be released (expected in few days).

The issue causes the crypt() function to only return the (MD5-only) salt it was given instead of the correctly hashed string. If you need to replace this immediately, you can pull the latest from the snaps site (or binaries for Windows). Keep an eye out for PHP 5.3.8 in the near future.

On NetTuts.com today there's a new tutorial from Burak Guzel about keeping your passwords (and web applications) safer by using hashing with passwords and understanding which of the PHP functions is right for you.

From time to time, servers and databases are stolen or compromised. With this in mind, it is important to ensure that some crucial user data, such as passwords, can not be recovered. Today, we are going to learn the basics behind hashing and what it takes to protect passwords in your web applications.

The article is a simple introduction to the topic and doesn't claim that it will protect you 100% but it's good to get the ball rolling. They talk about md5 hashing and the crypt method. He also outlines a few problems that surround hashing - hash collisions, attackers using "rainbow tables" and how quickly the average computer can run through hashes (an average 8 character password could be broken in around 60 hours). For each, he includes a few things you can do in your code to help prevent them from happening.

New on WebReference.com there's a follow up article that talks about using encryption built into PHP to handle login information and authentication.

Following up on "Implementing One-way Encryption in PHP," my previous tutorial about using one-way encryption to build a secure online diary application, this article explores using PHP encryption for login authentication. It presents the two scripts that make up the diary application: the login and diary scripts, as well as the necessary database server connection script.

His script example shows how to use the md5 hashing function to compare passwords with the ones in the database as well as a modification that uses the mcrypt libraries to encrypt some sample text.

On his blog, Jonathan Street has posted some "random thoughts" on generating random (or not so random) strings in PHP.

Humans are astoundingly bad at being random and I just slapped the keyboard a few times until I felt I had the required 16 characters. Writing some code to produce a fairly random string is incredibly easy. I've easily done it a dozen times or more. Though only because it is easier to re-write it than to find where I put the last one

He gives two examples that work, but aren't the best possibilities for making truly random strings - one using mt_rand to select a random character from a string and the other using the same idea but instead using the char() function to replace the string of characters.

His other examples include the use of the uniqid function with the more_entropy setting enabled and an md5 or sha1 hash (for which he gives positives and negtives).

A new tutorial has been posted over on AnyExample.com dealing with password generation in PHP. This type of script can be useful for creating a default password for your application to give initially to the user.

Modern web-applications often provide (during registration, or password-reset) random-generated passwords for its users. However these passwords (usually a random combination of letters or numbers) are quite hard to remember: in fact, it's even impossible to read them. This article provides a function for generating English-like readable passwords.

The key difference in this script is that last sentence - making the passwords somewhat human-readable. They give an example of what the traditional (md5-ish) approach to making passwords is before giving the code to create something a bit easier to remember like "lyttakor" or "fapoution". Example usage code is also provided.

David Coallier has posted about his ideas for an Open Source, free PHP security scanner:

The idea of this project is quite simple, I was thinking that offering this service to anyone who requests it could be a very nice idea. Offering to run the scan is the only way I could ensure that people are not using this scanner against any website.

Basically, his idea is to offer this service free of charge, but still restrict it to avoid malicious use. It would involve validation via an md5 hash to ensure that the website has been authorized to run it. Check out the blog entry for more details on how the scan would be run.

Ryan Malesevich is taking a break from his look at some handy WordPress packages to share a small series on how to move from using MD5 hashes out to SHA-1 hashes for passwords in a MySQL database. He's posted part one today.

What if you're using MD5 in your web application and want to switch over to another encryption method. It's actually not that hard and I plan to cover them in this multi-part tutorial (I know I planned on writing this months ago, but it's better late then never). In this first part I plan on going over updating the database structure and a 'pseudo-code' of what will need to be done.

As mentioned, he gives the outline (pseudo-code) of how the process will work - basically, creating an SHA1 hash of the MD5 and the username in a "newpassword" column added to your database.