DISQUS

George Olah · 8 months ago

I use static salt, dinamic salt and sha1. A very good article about this can be found on CodeIgniter's Portal : http://codeigniter.com/news/codeigniter_communi...

Data33 · 6 months ago

"If you want to migrate people over to the new hash, then just create a new column in the DB which will hold it and set it to null. Then on login, if this value is null redirect them to a change your password page. *Require it*. Then after some months, drop the MD5 column, clean up the logic and have the remain inactive users use the forgot your password feature if they want to play again."

Instead of having each player change their passwords, wouldn't it be easier to catch the posted password at login and perform the change automatically from md5 to whatever new algorithm you choose? Of course you'd also have to remove the md5 hash after changing it, or it would be sort of pointless.

SpyrosPan · 1 month ago

I can't really see why you think MD5 is weak while in fact this is far away from the truth. You imply that bruteforcing it is easy but this is definately not the case once more of course. But anyway, this is just an opinion.

Bob Dole · 7 months ago

Bah... the guy bashing security through obscurity is a moron or simply approaching the subject way too narrowly. First, no one is suggesting that you EVER use ONLY security by obscurity, but that you use it in addition to all other best practices as well. Not only that, but obscurity isn't limited by simply changing your database names from the generic 'password' name to something like 'pWord'. There are lots of things you can do:

- Use Post instead of Get
- Don't use common file names like admin.php, config.php, etc.
- Hide your files by starting your directories with a period
- Generate random field names for each users request.

These methods aren't the end-all-be-all of security, but when used in conjunction with other best practices, they make it that much more difficult for a would-be villain to nab your stuff.