I do not think "unfiltered" passwords would be that much to worry about if handled properly. I would, however, restrict the length of the password to around 10 characters. Also, you could maybe run a preg_match [php.net] for some "bad" characters and if any are found, prompt the user to use a create a different password without those characters.

If you provide specific information about what you want to filter in the passwords we might be able to get some code flowing ;)

I'm a strong proponent of never storing plain text user passwords. If you only store a hash of what they provide, they could use the declaration of independence as their password without any detrimental effects. They could also use any special characters they want -- so long as they send the same string each time, it will hash out to the same 32 characters each time.

Read the third message in this thread [webmasterworld.com] for more details.

>> they could use the declaration of independence as their password without any detrimental effects

I am going to have to use that, well said

don't worry about what chars they use for their password unless you are forcing them to use a stronger password

I would say 10 is a bit short, make sure they don't use one that is too short

>> I would say 10 is a bit short, make sure they don't use one that is too short

Yes, I immediately regretted having said that because I actually have never done that, and also realized that I never addressed the actual thread's question in the first place: storing passwords.

I'd have to agree with greg; I always hash the password, too, using MD5 [php.net] mostly, but there are others that would work just as nicely. If you are storing the passwords in a database, make sure you allow for enough bytes in the password column to hold a hash, which I believe is around 41 bytes (don't quote me on that, I'm not thinking straight today! ;))

Also, be sure to salt the hash with a secret word.

$password_hash = md5( $_POST['pass'].'some secret string');

Otherwise, an attacker who obtains your database of MD5'd passwords can compare the stored hashes against a table of hashes for common passwords to "guess" what the true password really is.

For example:

echo md5('abc123'); // e99a18c428cb38d5f260853678922e03

If an attacker can access your user database and sees "e99a18c428cb38d5f260853678922e03" as the password hash, they could reasonably assume that "abc123" is the actual password. Since people tend to use the same password everywhere, you may have just given away a users bank password. Concatenating a secret string with the password before hashing it solves this problem.

Do you sugest manually typing in the salt string each time you hash? or is it better to store in a variable in a config file and call from there?

The salt is used in two places: where you initially generate the hash that is stored in the database and in your sign in page that generates a hash for comparison against the database. Since these would most likely be two different scripts, storing the salt in one location definitely makes sense.