On Kavoir.com there's a new post that reminds you that hashing isn't enough anymore to protect your users and their passwords. They offer a suggestion or two of what you can do to help lock things down a bit more.

The common practice is to hash the user password and store the hash string of the password in the database. When the user tries to log in and supplies his password, it is used to generate a hash string to be compared to the one stored in the database. [...] This approach may be secure in the 70s of the last century, but barely any more.

Computing has evolved enough to where hashed can be matched, sometimes in less than two or three minutes. Their answer to the problem? Generate a random salt each time you create the hash with a constant being used as a base. A code snippet calling a user-defined function and the sha1 function are included.

On the ITnewb.com site today there's a new tutorial looking at the encryption of passwords in your PHP apps using the RSA PBKDF2 standard - a "Password-Based Key Derivation Function" that uses a pseudorandom function/input with a salt run multiple times to produce your derived key.

When creating password hashes for storage, many programmers will run a password through MD5 once and call it a day, rendering those hashes very susceptible to attack if they're discovered. In this article, you'll learn how to create stronger hashes with PHP by using the RSA PBKDF2 Standard.

They create a quick function that takes in a few different values - the password to encrypt, a salt value, how many iterations to run, how long you want the derived key to be and which hash to use (in this case sha256).

New on the ITNewb.com site today is this new tutorial looking at generating session ID numbers and random passwords for your application using functions like mt_rand and mt_srand.

Whether it's session ids, passwords or tokens in general, in the world of web development the ability to generate random alpha-numeric strings is a necessity. In this article I present a few simple yet effective PHP functions that can be used to generate strong alpha, numeric and/or special character tokens and passwords.

He gives examples of generating tokens and generating passwords, each with a custom function which he explains and gives a usage example for.

Jani Hartikainen has written up a new post for his blog looking at how to combine multiple password validation methods inside of a single application.

If your application is well thought out, you would not want to save any data that isn't valid. So what do you do, when you need different validation schemes, say for passwords, depending on some special case? [...] There is a better approach: Using a "policy" - Policies can be used for other things than this too, but let's look at how to use a policy for managing password validation.

He sets up an example scenario where the user sets an invalid and valid password and shows how policies for password validation (regular expression matches and other validation techniques) can provide a simple way to ensure the user has entered the right information.

On the NETTUTS site today there's a new article (continuing on from this tutorial) looking at how to make a "forgot your password" system to add on to their current login technique.

In my last tutorial, 'A Better Login System', a few people commented on how they would like to see a tutorial on password recovery, which is something you don't always see in user access tutorials. The tutorial I am bringing you today will deal with just that. Using mySQLi, we will learn to recover unencrypted and (one-way) encrypted passwords.

They give you what you'll need to set up the database for the user information and the PHP code you'll need to connect to it and fetch the user's information. The script then generates an email with a custom link that will take the user to a page asking them to answer a security question before they can continue.

On the SitePoint PHP blog today Troels Knak-Nielsen has a quick tip for those looking for a way to have their command-line PHP scripts be more interactive.

Just a quick tip, since I spent a good hour figuring this out recently. PHP has no native way of doing an interactive password prompt, when running as CLI. You can however use bash for the task.

His method (for both Windows and Unix systems) uses shell_exec command to run a VB Script/bash command that handles the password prompt for the PHP script. The result is then passed back into a variable and returned back to the calling application.

Adam Jensen has written up a new article today on how you can use the Zend_Auth component of the Zend Framework to authenticate your users in a few different ways based on a strategy selected.

For this example, we're going to allow our users to authenticate in one of multiple ways: e.g., against a database table, against an LDAP server, or by OpenID [1]. Zend_Auth already provides the necessary authentication adapters, so what we'll be concerned with here is how to implement all three systems without ending up in an FSUC situation.

He defines the code for the basic controller and a simple view that allows the user to select how they want to log in - email/password, username/password or OpenID. The model does all of the heavy lifting by letting the controller set the authentication type (strategy) and pulling in the correct Zend_Form instance along with its validation rules. Code is also included for the model and each of these.

Several sites have areas that have content protected behind a login making them difficult to pull into a script. Juozas Kaziukenas has created an option to help you past this hurdle - a PHP class (that uses cURL) that can POST the login data to the script and pull back the session ID.

But how you are going to do all this work with cookies and session id? Luckily, PHP has cURL extension which simplifies connecting to remote addresses, using cookies, staying in one session, POSTing data, etc. It's really powerful library, which basically allows you to use all HTTP headers functionality. For secure pages crawling, I've created very simple Secure_Crawler class.

The class uses the built-in cURL functionality to send the POST information (in this case the username and password, but it can be easily changed for whatever the form requires) and provides a get() method to use for fetching other pages once you're connected.

Timothy Boronczyk has posted about a new site/service he's created with PHP - Paste Ninja. He details it more in the post:

Paste Ninja is a pastebin application that lets you to share code snippets with others. Instead of flooding an IRC channel or your Instant Messenger conversations with lines of source code, you can paste it online for public viewing.

The world probably doesn't need another pastebin app, either, but there are several features in store that other pastebins don't have.

Features for Paste Ninja include:

• the ability to create threaded pastes,
• set an expiration date for the entry,
• set a password to protect the code,
• see how many times its been viewed
• set the comments on a line-by-line basis
• and - a very cool feature - submitting it via an email account versus just through the site.

On DevShed.com today they're continuing a series with part two of their look at user management - more specifically at the creation of a user management application for access control.

Any application that is security critical will have some kind of method to track and maintain user activity. In this article we will begin to build a user management system that will give us control over who has access to which part of our application.

The system's functionality will also provide authentication support (not just role management) and allows for user registration, "forgot my password" and password management. Code and database information for the ten files needed to make the system are included.