Quote:
Originally Posted by Barry-xlovecam
We let them use their own password and then use strong encryption to store it in the database ...
|
The right encryption is important, especially if you use a lot of PHP to drive your
site, as many sites do these days. Especially on a PHP powered site, you have to
assume that the bad guys can see your database. That means that unless the passwords
are properly encrypted, they can see ALL of your passwords. Having thousands of
passwords posted everywhere is not a fun experience, so they need to be encrypted to
keep the bad guys from reading them and posting them. (Technically, they are hashed
So what's the proper encryption? By default, the processors use a type of encryption
called a DES hash. It's used because it's always available, having been a standard
since 1972. In 1972, it was pretty hard to crack. Of course, computers of the time
had 500 kHz processors and 8 KB of RAM. It would take a few years to crack a DES
password, since the 8 bit CPU ran at 0.0005 Ghz. In 2011, with quad core 64 bit
2 Ghz processors, they can be cracked over 80,000 times faster. Running a typical
DES password list on a modern machine gives up passwords in under one second.
So DES is useless, but it's still the default.
For modern attackers, rather than 1972 attackers, you want modern encryption.
Given the Blowfish bug, that means salted SHA if your server supports it or salted
MD5 if not. The geeks who make Linux made it very easy to upgrade your encryption.
All that needs to be done is to adjust your processor's script pass a different salt
value, and we can take care of that for you. Today's encryption is expected to be
solid for another 30 years or so, so in 2041 you can upgrade again.