0

Say I have a platform, and I want to store a password.

Is it more secure to store the password prefixed with the users email, then to hash it then just hashing the password?

Example,

$hash = md5($email.$password);

Rather then just

$hash = md5($password);

Then to store the variable $password.

Austin Collins
  • 439
  • 3
  • 13
  • 1
    if user can change her email, then her password don't will be valid no? – Nomad Webcode Jul 13 '15 at 22:27
  • your talking about salts. –  Jul 13 '15 at 22:28
  • I would say it ***could*** be considered more secure until someone figured out you were salting all passwords with an email. At which point your salt is worthless. Then you run into issues like capitalization, changing email addresses, etc. Use a randomly generated salt, not an easy to figure out one like an email. Salting gets you a ***lot*** more security than tacking on something not random. – Kritner Jul 13 '15 at 22:29
  • @Oscargeek you need to enter a password when you change your email, so it can be regenerated with the new email. – Austin Collins Jul 13 '15 at 22:30
  • 2
    Better to use password_hash()/password_verify() which uses a more secure hashing algorithm, and a more secure random salt – Mark Baker Jul 13 '15 at 22:30

0 Answers0