Easy fix

MD5 pretty simple in PHP.

Hare gew, lut:

1) Take site offline

2) Select a cryptic shared secret (i.e. key) and put it somewhere in your software library, preferably not on a piece of code reachable directly from the interwebs.

3) write a quick procedure to run through the existing user/ password table, UPDATE the password field to be an MD5 hash of the already stored password

4) modify registration procedure to make an MD5 hash of the password using your shared secret and store it instead of the clear text password

5) modify login procedure to make an MD5 has of the entered password before checking the password stored in the DB.

6) Deploy new code

7) Bring site back up.

8) Make a few backups, then delete all the previous backups you have with unencrypted passwords

9) Sleep better.

Posted By: Steve in Holland, Aug 3, 14:03:33