If anyone has written a password protected application, how do you store the passwords?

I use sha1() in php, which hashes the password. However, I am using this on an information site where the user can come back and login and ask for more information, and I am thinking that storing the password in a hash like this is a bit of overkill. The main reason for me thinking this is that the password cannot be sent to the user, the user can only be sent a new password and then must change the password back to their old password if they want.

I am just thinking that maybe I don't really need to do this on just a free information service site, it seems a bit of overkill.

Do any of you just store the password as a text string? What else do you use?

One reason why you should always hash the password is because people often use the same password at different places.

So if someone uses the same password at your site and at paypal, and your site is hacked, then the hacker knows the person's paypal password.

Sure... the user shouldn't have used the same password at two places, but you also could have prevented it by using a hash.

Same as Chris, I always store a hash of the password. It's not really a big deal to get sent a new password instead of the existing one. The small inconvenience to your users may save their arse one day (and yours) ;)

Yep, I use a hash too - I used md5 though - having looked, sha1 seems to be stronger?

sha1 is stronger but slightly more cpu intensive. Alot of people switched over once collisions were found in md5. Still, md5 is still secure enough.

Hmm, how difficult would it be to change? Presumably you could either flag the existing ones that are using md5, or make everyone have a new password?

I presumed collisions would be possible, but fairly unlikely I would think?

One reason why you should always hash the password is because people often use the same password at different places.


Exactly.

I never store real passwords, md5 them all. If someone wants a new password I always just send them a random one.

My point: u must hash password AND email
If you respect your visitors u must protect emails too.

In "Forget password" case you can send time (and ip) -limited activation code to user's email so user can login with it during 30 mins from his ip and choose new password. User must enter registration email and u can hash it and compare it to hash from DB, hope its clear.

You can't hash email. IF you did you'd have no way of knowing what a user's email is... so it'd be pointless to even store it.