if my web login is occurring under SSL

Discussion in 'OT Technology' started by johnnywallywallace, Sep 16, 2003.

  1. is MD5 hashing even necessary?
  2. RaginBajin

    RaginBajin Have you punched a donkey today?

    Dec 24, 2001
    Likes Received:
    Can you give an example of how you are doing your web login?

    I am thinking of a project that I want to start that deals with user authentication to a website but I have no clue on how that all works. Still trying to figure out how to protect the data that the user does not have rights to (ie when you move pages how does it know what user is logged in, etc).

    Sorry to hijack your thread. :)
  3. crotchfruit

    crotchfruit Guest

    well, if you have a DB on the server side storing passwords, those passwords should be stored as some sort of hash and not plaintext - so that just in case you're ever "hacked".. it will be harder to get everyone's passwords.

    so yes, if the passwords are stored as a hash on the server side, it is safe to say that some sort of hashing will be necessary for comparison.
  4. server-side why not just pwdencrypt("pwdstring") ?
  5. crotchfruit

    crotchfruit Guest

    i'm not familiar with the use of that function. can you explain why using pwdencrypt on the server is a non-hashing alternative?

    as far as i know, pwdencrypt uses the SHA hash to generate the output, so you're basically doing something akin to an MD5 hash (just stronger.)
  6. pwdencrypt is SQL-side, you can store your password using pwdencrypt in a varbinary(256) field and then pwdencrypt the password value passed during login and do a pwdcompare on the two ... I don't have to IMPLEMENT the hash as I would with MD5.
  7. crotchfruit

    crotchfruit Guest

    ok, i understand. from the first post i thought that your concern was whether or not a hash was necessary, not that you just didn't want to implement one. pwdencrypt seems ok to me.

Share This Page