Quote:
Originally posted by beemk
sending this page to the password boards....
|
Go ahead. It won't make it much easier to brute force a 32 character string (like md5), and there are quite a few different encoding algos out there, so to get them all they'd have to create even huger password lists... up to the point where using a list takes almost as much time as brute forcing
Another tip, for very inexperienced programmers: if you store passwords in a database, don't store passwords in plain text form. Instead, use a one way hash like md5. If people lose their password, resend them a reset random password, which they can change again in their accounts.
This way, if your database ever gets compromised, the stupid ones among your customers (i.e. the ones that use a single password for all their stuff) have less chance of getting screwed - and blaming you, because you were the one that leaked their password.
(ofcourse crackers can still run wordlists against the hashes and have a fairly good chance of finding weak passes that way, but it's better than nothing)