

How and Why to Hash Passwords in PHP - kaptain
http://phpsec.org/articles/2005/password-hashing.html

======
devicenull
Well, bonus points for including SQL that doesn't suffer from SQL injection
issues, but every one of the suggestions is wrong.

I'm personally confused by this comment:

    
    
      Note: Using MySQL's password() function in your own applications isn't recommended - the algorithm used has changed over time and prior to 4.1 was particularly weak.
    

So.. if you know it's not recommended, why even include an example of it?

------
there
yikes, a php security site telling people to use sha1().

don't use sha1 hashes for storing passwords, use bcrypt.
<http://www.openwall.com/phpass/>

or a quick code snippet:

    
    
            for ($salt = "", $x = 0; $x++ < 40; $salt .= chr(mt_rand(0,255)))
                ;
    
            $hashed = crypt($password, '$2a$08$' . hash("whirlpool", $salt));

------
joshrice
I hope this article is really old...at least then the author can claim
ignorance.

phpsec should update this article with a more secure example.

