As you might have already guessed, it has to do with
security. If your database is stolen, the thief could try to match the hashed password values with a large dictionary
of hashed values that looks something like this:
word1 .... sha1(word1)
word2 .... sha1(word2)
...
word10000 .... sha1(word10000)
If two hash values match, it means the original strings (which, in our case, are the customers??™ passwords) also
match.
CHAPTER 16 ?– MANAGING CUSTOMER DETAILS 482
Appending a secret prefix to the password before hashing it reduces the risk of dictionary attacks on the hashed
passwords database because the resulting string being hashed (secret prefix + password) is less likely to be found
in a large dictionary of ???password ??“ hash value??? pairs.
The test_hasher.php page tests your newly created PasswordHasher class.
?– Note You can also handle hashing at the database level by using the MySQL PASSWORD(), MD5(), and
SHA1() encryption functions. For example, you could execute the following MySQL statement to see the
MySQL SHA1() function in action:
SELECT SHA1('freedom');
Of course, when relying on MySQL??™s hashing functionality, the passwords travel in ???plain format??? to
your MySQL server, so if the MySQL server is on another network (which is quite unlikely, however), you
must secure the connection between your web server and the MySQL server by using SSL connections.
Pages:
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604