I'm trying to share logins between my app and an IPB forum.
I've seen that Invision is providing a module to share the credentials: IPS Connect
To make it simple, there is a master application and one or severals slave(s). The slaves are sending the credentials that the master need to store through an API.
The stuff is that for the register or login methods IPB is sending an md5 hash of the password. There is no way I'll store an md5 in my db so I was think to use bcrypt on the md5 hash doing something like
$storedPassword = bcrypt(md5(pwd) + salt);
What do you think about this alternative, is it a good practice to hash with bcrypt on top of a md5 hash?
Although its perfectly fine to use $storedPassword = bcrypt(md5(pwd) + salt); in your application, security wise it has little benifit. Also it isnt needed to add your own salt to the encryption. bcrypt will take care of that internally and you dont need to save the salt anywhere.
An attacker targets the weakest link and if the other server just uses md5, they can attack that site to get the password and then it doesnt matter how strong you secured it.
But then again. Closing one door is still beter then leaving everything open.