check out these randomized sha1 password storage functions, they output a string of 50 characters, the first 40 characters being a sha1 output based on the last 10 characters - those being a random seed
to encode a password run pw_encode with the password, it'll return a different pseudo-random string every time - store this value.
to check a password run pw_check with the password attempt and the stored value, it'll return true on a match and false otherwise
these functions eliminate the pesky problem of dictionary matches being run on your password lists
<?php
function pw_encode($password)
{
for ($i = 1; $i <= 10; $i++)
$seed .= substr('0123456789abcdef', rand(0,15), 1);
return sha1($seed.$password.$seed).$seed;
}
function pw_check($password, $stored_value)
{
if (strlen($stored_value) != 50)
return FALSE;
$stored_seed = substr($stored_value,40,10);
if (sha1($stored_seed.$password.$stored_seed).$stored_seed == $stored_value)
return TRUE;
else
return FALSE;
}
?>
