Perhaps this radical attack is not so much a problem if you have a good code that prevents SQL injection and such, but there is still brute force or dictionary attack options that hackers could use to obtain the word a user password, including the password for the administrator. It is therefore important that their own site and the confidentiality and security of the users to ensure that passwords are safely stored in its database. When a user enters his password, which was expected to be safe, then do not let your users down! There are many ways a PHP programmer can encrypt passwords before storing in the database. The most common method is to use a hash table, which means that the process of encryption password can not be reversed, if a user loses his password, you must give the old and the new one can be decrypted and given back. Hashed passwords are typically checked when entering the same way that a password is clear: comparing strings.
There are exceptions to this method of hash stronger, I'll get there. The simplest (and most common) is the use of MD5 to encrypt the password. Although this method is very easy, and certainly better than nothing, it is very difficult to break the encryption, and there are many sites that will help you do just that. I tried one of these sites once, with great success. However, if you think that this method will be safe enough for your site, at least for now, this is what you can do: $ Encrypt_pass = md5 ($ pass); $ Encrypt_pass Where is the password is encrypted $ pass the variable containing the password you want to encrypt. But since this method is quite precarious, look at other options. A very similar hash, but slightly better is SHA1. Works the same way as md5 exception that returns a 160 bit instead of 128-bit fingerprint: $ Encrypt_pass = sha1 ($ pass);
.
The way it works is that the string is added to the password before it MD5 or SHA1. This is enough to prevent brute force or dictionary attacks, as the theory behind this is that the weakness of the password of a user can be enhanced by the salt before hashing and inserted into the database. For example, $ Col = "pass123" ;/ / Let's say this is the password entered by the user $ Salt = "1y2Jdu1D8! B" ;/ / This is the algorithm of salt $ Encrypt_pass = md5 ($ salt $ pass) ;/ / Add the salt and hash If the attacker can know that the salt of the algorithm is, however, this method is low as a SHA1 hash md5 and ordinary. So what can we do? What combination of methods? $ Pass = "pass123" $ Salt = sha1 (md5 ($ pass)); $ Encrypt_pass = md5 ($ salt $ pass); Even if it is not infallible, is very strong, and almost impossible to read without knowing the algorithms, which usually means access to php file .. Of course, if you want to keep passwords safe from other people who can work on a project with you and to have access to files, there is another option to consider. Personally, I prefer to use the "Portable PHP Framework password hash" or phpass, where open source password encryption for phpBB and WordPress is based solution. With this system, a hash is different each time the same password, which means that you must use the password function phpass. Theoretically, making it impossible to decipher.
To use this setting, you need to download files from Open wall. There will be a php file called there Password Hash. PHP class that has the hash. Add to your server requires (or understand) that the page is encrypted password. You can then call the class of hash password: $ T_hasher = new PasswordHash (8, false); $ Hash = $ t_hasher-> HashPassword ($ pass); Then, to check two passwords (when connected, for example): $ Check = $ t_hasher-> Check Password ($ pass, $ hash) / / $ pass is the password for verification and $ hash is the hash of the password stored in the database if ($ data) {/ * Let the user through * /} if ($ data) {/ * Do not allow the user through * /} The PHP test file. It is well commented and have more functions that can be useful to look over. Also test everything to make sure it works on your system. This is a quick overview of what you can do to keep your site and your users secure website
find more at: http://www.youtube.com/watch?v=QWqL-2qq0Jo
Please, please, do not just store passwords in plain text in your database. This is a bad practice and does not maintain the trust users have in you when you register on your site. It's easy to do and very important.
