[eluser]Elliot Haughin[/eluser]
Quote:No it doesn’t. Store an extra field that records the string length of the user’s password, and display that. Update it whenever the user changes their password.
Always encrypt passwords with a salt, ALWAYS. This shouldn’t even be debatable
Your dead right... I wouldn't even bother storing the length of the password, since it's a another 'clue' stored away...
Just give the user a blank box... it doesn't matter if it's got 9 stars in it or 8, or none...
The user isn't going to sit and count the number of stars in the box, in-fact, they probably don't care.
Quote:A small contribution of a different secure alternative that has worked for me so far: Using PUBLIC/PRIVATE keys
I think there's definitely a good point there.
But, this can all be done just using SSL, which means that all data sent back and forth from the client and server is automatically encrypted/decrypted.
The main problem is, if you do some form of hashing client-side on the password with a public key appended, it needs to be a 2-way encryption method so on the server side you can 'decrypt' the password/key hash to then test it against your secure _prep_password($password) database stored password.
And, if the encryption is performed client-side, a hacker could look at the hashing algorithm (because it has to be a js function or something), and work out how the 'hashed' transmitted password is built.
With this information, they can take the 'hashed' transmitted password, and reverse-code the clientside hashing script to produce the original transmitted password.
Which is where SSL really comes into its own... its fully encrypted transmission of requests is only possible to encode/decode with the SSL certificates located on your server, and married to your unique domain name.
Edit: xwero beat me to the SSL!
Ah, well, I hope this post explains why SSL is much better than any client-side hashing.