|
sha and md5 are hashing algorythms, they have only a one-way encryption.
You can't decode them easily and you need special crack software for it.
The hashing is only a server-side security measurement but it's not bulletproove.
Most passwords are also stored in a cookie or session, these have the bad that they could be hiyacked.
What the hacker does is just modifying the browser cache and replace the cookie value with the found hash to get into your system.
To reduce the risk the cookiename should by dynamic (per website based) and that way the hacker has to choose between 2 tougher tasks:
- guess the cookie name
- crack the hash
another option to md5 is using sha1() (in PHP 4.3 and up)
at the moment it takes up to 3.5 years to crack a sha1 or 59 hours for a supercomputer.
PHP5 has the ability to use the hash in binary format instead of converted to hex coding. Another benefit here since a lot of script kiddies can't copy/paste the binary cookie that easily (mostly due to special characters like 0x00, 0x07, etc.)
Session handling is a solution to prevent line tapping, that way the client never recieves login details only a cookie with a session-id. The hacker has to close his browser hijack his cookie cache and start the browser.
With sessions you could prevent this by locking the session on IP, if the IP of the client doesn't match the session it will be destroyed and the client has to login.
This does have issues with people on AOL since AOL changes your IP almost every minute which makes it annoying for them.
To prevent this you could use the HTTP_USER_AGENT instead of IP and that way the hacker must have the same browser as you do.
If you don't need all this security then plain text passwords is more then sufficient and allows the client to recieve his password by email if he forgot
|