password-hash

I'm putting together an android client (and possibly in the future iOS, web portal, etc) and php mysql server. Server side I am currently using the PHPass library to hash and salt the incoming passwords. Should I make the client send plain text passwords over HTTPS/SSL or should the client do some form of hashing first. For example should every client simply sha1 (or some other algorithm) every outgoing password? Most websites will send the password plain-text over an encrypted connection SSL/HTTPS. Hashing the password client-side can be done, but the advantage is small and often client-side

I'm trying to connect to a mysql server at dreamhost from a php scrip located in a server at slicehost (two different hosting companies). I need to do this so I can transfer new data at slicehost to dreamhost. Using a dump is not an option because the table structures are different and i only need to transfer a small subset of data (100-200 daily records) The problem is that I'm using the new MySQL Password Hashing method at slicehost, and dreamhost uses the old one, So i get $link = mysql_connect($mysqlHost, $mysqlUser, $mysqlPass, FALSE); Warning: mysql_connect() [function.mysql-connect]: OK

I am having a bit little bit of trouble understanding php's crypt function. My PHP version is 5.4.7. I want to use crypt to store salted passwords in the database, because as far as I am told, developers who use md5 to hash passwords are to be staked and burned on the spot. I wanted to use the blowfish alg to generate the hash. Now, according to the php documentation, crypt uses blowfish if you call it with "$2y$" + cost (for instance: "08") + "$" + 22 characters salt ( ./0-9A-Za-z ). However, the output of this little bit of test code is confusing me: echo "<pre>"; if (CRYPT_BLOWFISH == 1) {

I've updated the code and the script is still returning the "Fail." message. I must be missing something, I've taken everyone's advice. That or I'm just plain stupid LOL! Here's the updated code: require('../connect.php'); $username = $_POST['username-sign-in']; $password = $_POST['password-sign-in']; if true then exit() for { empty($username); empty($password); } if (isset($username, $password)) { $getuser = $connection->prepare('SELECT `username`, `password` FROM `users` WHERE `username` = ?'); $getuser->bind_param('s', $username); $getuser->execute(); $userdata = $getuser->get_result();

When the user register on the site , and I look in the database joomla_users in the password table, there are password stored in the following formats: $P$Do8QrURFT1r0NlWf0X/grdF/aMqwqK/ $P$DH38Lch9z508gJiop3A6u0whTity390 ........ But not in the form as described in the documentation (MD5 + ":" + SALT): 1802ebc64051d5b4f4d1b408babb5020:0PHJDbnsyX05YpKbAuLYnw2VCzFMW2VK I need to have this clarified for me, because I'm using outside script that checks for user credentials to check for password match. In my PHP script I have code that seperates SALT from password from database: $parts = explode(

I came across a discussion in which I learned that what I'd been doing wasn't in fact salting passwords but peppering them, and I've since begun doing both with a function like: hash_function($salt.hash_function($pepper.$password)) [multiple iterations] Ignoring the chosen hash algorithm (I want this to be a discussion of salts & peppers and not specific algorithms but I'm using a secure one), is this a secure option or should I be doing something different? For those unfamiliar with the terms: A salt is a randomly generated value usually stored with the string in the database designed to make