Password handling

[espfutbol98]

I was reading one of my scripts and I found an unfamiliar function. I went to the php manual and it wasn't there either. It is the PASSWORD() function and it works like md5() or sha1() but I don't know how the security compares to other ones. If it is not as secure as others, please recommend me one.

[Twinkie]

I get a function undefined error.

Hashing strength is compared by how long the hash string is produced as bits. The more bits a function utilizes, the less chance of a collisions, or finding out the original password.

[espfutbol98]

It works perfectly here:

PHP Code:

<?php
//...
$query = "SELECT username, password, first_name FROM user_info " .
           "WHERE username = '" . $_POST['username'] . "' " .
           "AND password = (PASSWORD('" . $_POST['password'] . "'))";
//...
?>

[Twinkie]

Oh, you might have mentioned it was a MySQL function ;)

It has the same bits and strength compared to sha1. I would recommend sticking with sha1 so you has perform password comparisons in your script without having to run multiple SELECT PASSWORD("[DATA]"); queries.

[misson]

If you're hashing passwords, make sure you use salt. System wide salt prevents rainbow attacks (attacks using a standard dictionary precomputed before getting your system's password data). If you only use system salt, a cracker can still produce a rainbow table for your system. Using both system salt and a per-user salt (the username works for this) prevents dictionary attacks in general.

[espfutbol98]

Oh, it's SQL, I thought it was php. Okay, I'll read up on salting hand hashing. Thanks guys.