[DEV] New Usersystem

[Recursion]

Can I just input here, how is MD5 "not secure"? It's only the fools who put dictionary words as their passwords that are going to be effected.

If you forced them to set a password with even one character of punctuation it's going to make cracking the password take a whole lot longer (IMO people should be forced to do this, just my 2c)

[Jack!]

Can I just input here, how is MD5 "not secure"? It's only the fools who put dictionary words as their passwords that are going to be effected.

If you forced them to set a password with even one character of punctuation it's going to make cracking the password take a whole lot longer (IMO people should be forced to do this, just my 2c)

Currently the password has to be longer than 6 charaters i think. i may add the salt, but im not right now,MD5 should be fine.

UPDATE: User CP is almost done. About me editing is done, Including BB Code. Show and hide DoB, Email, and Name is working. change password is done, and change email is done.

[Jahova]

Just make sure you cover all the exploits.

[HotelUser]

Can I just input here, how is MD5 "not secure"? It's only the fools who put dictionary words as their passwords that are going to be effected.

If you forced them to set a password with even one character of punctuation it's going to make cracking the password take a whole lot longer (IMO people should be forced to do this, just my 2c)

Agreed Tom, and it only takes a little elbow grease to implement too

Currently the password has to be longer than 6 charaters i think. i may add the salt, but im not right now,MD5 should be fine.

UPDATE: User CP is almost done. About me editing is done, Including BB Code. Show and hide DoB, Email, and Name is working. change password is done, and change email is done.

Excellent stuff. Especially interested in what you said about bbcode. Do you have a WYSIWYG bbcose editor?

[Jack!]

Agreed Tom, and it only takes a little elbow grease to implement too




Excellent stuff. Especially interested in what you said about bbcode. Do you have a WYSIWYG bbcose editor?

Currently the BBCode has to be added manually, [br] ect, i may add a wysiwyg editor, just want to get everything working first. Also may be overhauling the PM system, seems a lil buggy using ajax.

[MattFr]

I salt password strings like

md5( $username . $password . $salt );

where salt is

substr( md5( time() ), 0, 8 )

and stored in the users row

Your salt is dynamic based on a number that will never happen again? Good luck with that.

@ OP, is there any reason why you swap between constants and variables? Do you know the difference and when each should be used properly?

[Blob]

Your salt is dynamic based on a number that will never happen again? Good luck with that.

and stored in the users row

Cheers for the good luck.

[MattFr]

Cheers for the good luck.

But surely if your database is compromised, storing the salt with the user row makes it easier to run a dictionary attack. Your method of generating numbers seems to be crazy inefficient anyway, just use a random.

[Blob]

But surely if your database is compromised, storing the salt with the user row makes it easier to run a dictionary attack. Your method of generating numbers seems to be crazy inefficient anyway, just use a random.

Same with vBulletin though, they store a salt in the user database too.

Not quite sure why I did it in the first place, I was talking to another developer at the time who told me how he does his.

[MattFr]

Same with vBulletin though, they store a salt in the user database too.

Not quite sure why I did it in the first place, I was talking to another developer at the time who told me how he does his.

vBulletin coding isn't exactly amazing.