Xx Dark Wizard xX's Site

ID:265728

Apr 18 2007, 8:02 pm

I'm making a CGI application, but I don't want people to be forced to make a BYOND key to logon. I was wondering whats the best way to do this, I was thinking about doing this to keep passwords and usernames secure.

// psuedo code
var/username
var/password
var/const/salt = "text"
var/list/hashes
proc
  IsValidLogin(username,password)
    if((md5(username+salt+password) in hashes)
      Welcome(username)
    else

#1 Apr 19 2007, 12:48 am
Crispy	Storing only the hash of the password and not the password itself is indeed a good idea. And a bit of salt is good.

#2 Apr 19 2007, 3:07 am In response to Crispy (#1)
Shadowdarke	It's even better if you don't pass the bare password through the network at all. Do the hash before transmitting it. (http://pajhome.org.uk/crypt/md5/)

#3 Apr 19 2007, 8:02 am

In response to Shadowdarke (#2)

Jon88

Shadowdarke wrote:

It's even better if you don't pass the bare password through the network at all. Do the hash before transmitting it. (http://pajhome.org.uk/crypt/md5/)

But then, the hash is effectively the password. You're just protecting the user's plaintext password in the event they use it elsewhere. I suppose you're right, and it's not a bad idea, since some people could re-use the same password multiple times.