What to use for password security ?
Being a newbie at this (and coding in general), I've been looking at all sorts of different tutorials, articles etc. about PHP and security concerning passwords. This resulted in all sorts of different solutions, when using a mysql db and php. The unfortunate things is, that all of these different articles and / or tutorials seem to contradict one another. Some say md5 is fine for the "mainstream" user, others recommend sha1 or crypt(). Now, as far as I can see, only crypt() seems like a "viable" solution. Using md5 doesn't exactly seem safe, having all sorts of different online decryption sites. Using sha1, even with a salt, doesn't seem any better. A short demonstration is given here:
http://www.youtube.com/watch?v=lrGMxH8WNZ8
All of this leads me to my question. What would be the best solution for a mysql driven forum site ? It doesn't, in principle at least, contain any "personal information" (couldn't remember the correct english term). Is it necessary to make some SSL solution or......?
Thank you.
Everyone is going to tout bcrypt which is solid. but i prefer the new PHP5 API password hashing function which is standard in php 5.5.
read about it here
It is super easy and from what I can tell super secure.
Just set up a 60 length varchar in your db and your set
$hash = password_hash($password, PASSWORD_BCRYPT);
and to verify:
if (password_verify($password, $hash)) {
// password valid!
} else {
// wrong password :(
}
Since not all hosting servers offer 5.5 you can get the class here
As far as SSL goes, it is recommended.