[thelist] Re: best way to check for valid user/password in PHP

Liam Delahunty ldelahunty at britstream.com
Thu Jan 9 15:25:01 CST 2003


Kelly Hallman wrote:

[stuff]
md5 is a one-way hash because there is no feasible way to determine the
original input that created the hash, and it would be equally difficult to
find two strings that resulted in the same hash.  This way, if someone got
ahold of your username/password data, the hashed passwords would be
useless.
[end quote]

md5 is susceptible to dictionary attacks. I have a database of many common
passwords and the md5, it's fairly easy to put in a hash and look up it's
real value.

However, it's still a lot better than storing plain text. Depending on the
level of security required one must also remember to shove this through a
secure connection otherwise it's all pointless anyhow.

Don't get me started on clients with so called "security" requirements that
then just go and log in insecurely, use ftp[1], or use admin/root level
accounts to get email unsecured! Especially in webmail! Argh!

kind regards,
Liam

[1] http://safetp.cs.berkeley.edu/




More information about the thelist mailing list