Shay Ben Moshe has a new post to his blog looking at a method he's come up with for hashing passwords the proper way and saving them to a database for future checking. His encryption methods of choice crypt and a random salt generator.

The easy and common solution for this particular problem is to use an one-way hash function, such as md5 and sha1, which takes the password and encrypts it. Unfortunately, this method is not as strong as you may think. [...] We can protect our password from rainbow tables and similar attacks by using salts.

He talks about storing passwords in a database (never as plain text!) and what rainbow tables are and how they can make it simple for a user to break a poorly hashed value. He shows how to use the crypt function together with the sha512 hashing tool to make a salt.

On PHP.net there's a quick security advisory for those that didn't see the news - the wiki.php.net machine was compromised but has been wiped and all accounts reset and requiring a password reset.

The wiki.php.net box was compromised and the attackers were able to collect wiki account credentials. No other machines in the php.net infrastructure appear to have been affected. Our biggest concern is, of course, the integrity of our source code. We did an extensive code audit and looked at every commit since 5.3.5 to make sure that no stolen accounts were used to inject anything malicious. Nothing was found. The compromised machine has been wiped and we are forcing a password change for all svn accounts.

The issue was caused by a combination of a problem with the wiki software and a Linux root exploit. The Register has additional comments about the issue and outage.

Joshua Thijssen has a new post to his blog looking at password hashing and salting - something that, really, should always be done to help protect your site's user information.

Even though it is true in effect that using a salt increases the overall security of your hashes BUT it's not only because your passwords are longer. There is a another (maybe even more important) factor that comes into play, namely the fact they are more secure against rainbow table attacks, but that depends on HOW you season your hashes. Season it incorrectly, and you gain nothing in security even though you think you did...

He gets into some of the details about hashing your information, how you can break that hash easily and how salting your information can help reduce that risk. He also points out things like rainbow tables and brute force that could still break these salted passwords.He recommends using a different method than a single salt - a different one for each user with a part stored in plain-text along with the user record.

On NetTuts.com today there's a new tutorial from Burak Guzel about keeping your passwords (and web applications) safer by using hashing with passwords and understanding which of the PHP functions is right for you.

From time to time, servers and databases are stolen or compromised. With this in mind, it is important to ensure that some crucial user data, such as passwords, can not be recovered. Today, we are going to learn the basics behind hashing and what it takes to protect passwords in your web applications.

The article is a simple introduction to the topic and doesn't claim that it will protect you 100% but it's good to get the ball rolling. They talk about md5 hashing and the crypt method. He also outlines a few problems that surround hashing - hash collisions, attackers using "rainbow tables" and how quickly the average computer can run through hashes (an average 8 character password could be broken in around 60 hours). For each, he includes a few things you can do in your code to help prevent them from happening.

New on his blog today Jakob Westhoff describes a system he's created to let him keep all of his passwords with him (and safe) where he can get to them from his Android phone. He wanted to pull them from the local store of his Revelation password software.

I am really enjoying my new smartphone. However there is still something missing. A way to have all my passwords with me on my phone in a safely encrypted container.

The Revelation system pushes the passwords into subversion when they're updated and can be accessed from a desktop platform. He was missing the mobile branch of the access, so he decided to fill the gap with PHP by making a reverse transformer for the Revelation passwords. You can get the code here from github if you want to make use of it on your own systems.

On Kavoir.com there's a new post that reminds you that hashing isn't enough anymore to protect your users and their passwords. They offer a suggestion or two of what you can do to help lock things down a bit more.

The common practice is to hash the user password and store the hash string of the password in the database. When the user tries to log in and supplies his password, it is used to generate a hash string to be compared to the one stored in the database. [...] This approach may be secure in the 70s of the last century, but barely any more.

Computing has evolved enough to where hashed can be matched, sometimes in less than two or three minutes. Their answer to the problem? Generate a random salt each time you create the hash with a constant being used as a base. A code snippet calling a user-defined function and the sha1 function are included.

On the ITnewb.com site today there's a new tutorial looking at the encryption of passwords in your PHP apps using the RSA PBKDF2 standard - a "Password-Based Key Derivation Function" that uses a pseudorandom function/input with a salt run multiple times to produce your derived key.

When creating password hashes for storage, many programmers will run a password through MD5 once and call it a day, rendering those hashes very susceptible to attack if they're discovered. In this article, you'll learn how to create stronger hashes with PHP by using the RSA PBKDF2 Standard.

They create a quick function that takes in a few different values - the password to encrypt, a salt value, how many iterations to run, how long you want the derived key to be and which hash to use (in this case sha256).

New on the ITNewb.com site today is this new tutorial looking at generating session ID numbers and random passwords for your application using functions like mt_rand and mt_srand.

Whether it's session ids, passwords or tokens in general, in the world of web development the ability to generate random alpha-numeric strings is a necessity. In this article I present a few simple yet effective PHP functions that can be used to generate strong alpha, numeric and/or special character tokens and passwords.

He gives examples of generating tokens and generating passwords, each with a custom function which he explains and gives a usage example for.

Jani Hartikainen has written up a new post for his blog looking at how to combine multiple password validation methods inside of a single application.

If your application is well thought out, you would not want to save any data that isn't valid. So what do you do, when you need different validation schemes, say for passwords, depending on some special case? [...] There is a better approach: Using a "policy" - Policies can be used for other things than this too, but let's look at how to use a policy for managing password validation.

He sets up an example scenario where the user sets an invalid and valid password and shows how policies for password validation (regular expression matches and other validation techniques) can provide a simple way to ensure the user has entered the right information.

On the NETTUTS site today there's a new article (continuing on from this tutorial) looking at how to make a "forgot your password" system to add on to their current login technique.

In my last tutorial, 'A Better Login System', a few people commented on how they would like to see a tutorial on password recovery, which is something you don't always see in user access tutorials. The tutorial I am bringing you today will deal with just that. Using mySQLi, we will learn to recover unencrypted and (one-way) encrypted passwords.

They give you what you'll need to set up the database for the user information and the PHP code you'll need to connect to it and fetch the user's information. The script then generates an email with a custom link that will take the user to a page asking them to answer a security question before they can continue.