md5 hash would be a way of securing it, however, there is really no easy way to reverse a md5 hash, so if they lost their password it would have to be removed, and a new one inputed.

General rules are use some form of encryption on your passwords. supermanjnk has already mentioned md5() which is pretty sound. Also, limit the user to what they can input. For example, restrict usernames and passwords to alphanumeric data only.

On my site I have the password encrypted but also a pin number for secondary level authorisation encrypted too. This is used by a lot of banks and is pretty effective, especially if you are using cookies and someone else has gained access to someone else`s account.

I dont know if I can post links to this site...so I guess Ill find out. Hope this are usefull :)

[devarticles.com...]

It pretty much covers all the basics

Could someone please tell me how can I hash password on the user side? I use md5 to compare the input with the field stored in database, but still pass is send to me via plain text.

I know about ssl, but don't want to use it, because of the popup window "You're coming into ssl secure page" and "You're going out of ssl secured page".

I know it can be done because if you look what yahoo is sending it's just crap :)

Best wishes

Michal Cibor

PS. To avoid password comparing I use such function:

$passHash = md5($user.$pass)

This way, even if two users have the same pass, you won't know that after just looking into the db.
PS. User "" is not allowed.

Have a look at the Perl-Javascript MD5 encryption at sourceforge

[sourceforge.net...]

You'll need Paul Johnson's Javascript MD5 to go with it (supposedly the same algo that Yahoo! uses).

[pajhome.org.uk...]

Tom

I appreciate all the replies so far and am reading through the different articles and will probably be back with more questions soon.

Just a few quick questions though,

If I am using php/mysql, do I still need javascript for encryption also?

I was considering just not using cookies at all and just relying on the session variable because I would prefer that the customers log in each and every time. That way they can't have themseleves auto-logged in and have wife/employee/kids screw up any of their settings and they blame it on me. Is this a bad or good idea, or should I include cookies along with the sessions anyway?

Sessions ARE cookies ;)

or at least, you need cookies to store session vars :)

"PHP and MySQL Web Developement" by Welling and Thomson covers this subject pretty thoroughly, and gives example scripts. Well worth the $50 I paid for the book.

WBF

How about just using .htaccess and .htpassword?

You could also just use a pre-written authentication class - check [pear.php.net...] or google for Pat_user, both will be top-notch authentication options.

Sessions ARE cookies
or at least, you need cookies to store session vars

I am not positive but i'm pretty sure session variables can be passed page to page and do not need the use of a cookie. The only example I can think of is phpbb. It's backup option if the person has cookies disabled is to use session variables.

You could also just use a pre-written authentication class - check [pear.php.net...] or google for Pat_user, both will be top-notch authentication options.

I looked at my webhost to see if it was installed and found nothing but from what little reading I did I see that it is part of newer versions of php? Will I still need to contact my host to see if it is installed/setup? Side-note, my host is the same people who host the pear.php.com website, should I just assume they already have it setup?

You can just try, via the instructions of the class, to include it, and see if it's there. If it's not there, and you don't want to bother your host, you can just put it somewhere else, and include it from there, just making sure you also include everything else that that class wants (usually the PEAR class PEAR for example).

I am not positive but i'm pretty sure session variables can be passed page to page and do not need the use of a cookie. The only example I can think of is phpbb. It's backup option if the person has cookies disabled is to use session variables.

yes, there is another way, store them in the url

A visitor accessing your web site is assigned an unique id, the so-called session id. This is either stored in a cookie on the user side or is propagated in the URL.

session variables are always used for sessions btw, at least, if you set some, no matter how they are used, as a cookie or in the url ;)