Possible Duplicate:
Best way to store password in database
I have a database (mySQL) where the table USERS has this structure:
Passwd and BancAccount are plain text on the database. From the PHP code, when login is done, it compares the user input for UserID and Passwd with the results from the database.
I would like to make it more secure, so that if anyone is able to break into the database, he cannot see these two critical fields. Any suggestions?
THANKS
Try using the PHP crypt function and use the database to to store the salt as well, to follow up with what Neal says, make sure you try to use some obscurity to hide it as well...but you'll need the salt to compare the user input against later.
well you can hash with a salt the password. and have a completely seperate table for thebank accounts that is linked somehow to that table but very obscurely.
You should definitely not store the password in plain but only a hash of it, at best a salted hash.
Which hash function you use and how the salt is chosen is also an important question. Many people suggest to use bcrypt as the hash function for passwords that has a cost parameter to adjust the computational costs of generating the hash value (the more expensive the longer brute-force attacks will last). And the salt should be a random value and unique for each password.
I'd suggest putting together a concenated string containing the password; also called to "Salt and Pepper" the password, then encrypt it with SHA1. Then you use the same algorithm when checking the database fields.
$salt = "a7s8as98sa9";
$pepper = date("H");
$hash = sha1($salt . $password . $pepper);
Using dynamic salts like randomly generated strings, numbers, dates or timestamps are only the tip of the iceberg of creativity.