This page is just a simple way to obtain an encrypted password. It uses PHPs md5() function to produce a one way hash ("scramble") of the password you type in. How is this useful ?

Well, if you have a password protected site, you probably store the passwords in a database or in an xml or text file. If your site gets hacked, or your database succumbs to an SQL injection attack, your passwords may well be visible. But if they are encypted, they won't be of any use to the attacker.

The hash function is a one way operation, and further more a given input will always produce the same output hash. It will encrypt your password, but it's not possible (in any reasonable amount of time) to reverse the process and figure the password from the hash. To use this scheme, you encrypt your password, and store it in your database. When the user types in a password at the log-in prompt, their entry is hashed and compared with the hashed password in the database. Simple

Please note - this does not release you from the responsibilty of producing a secure password.

Since writing the guff in the left hand column, things have moved on. Read this and ponder !

I think it's still essential to encrypt & salt your passwords. If the database gets hacked it will offer some protection. But the message has to be "make it harder for a brute force attack to succeed" as follows:

  • At least 8 characters in your password, using mixed upper and lower case, numbers and symbols.
  • Don't use real words as part of the password
  • Don't use MD5, or SHA1 or SHA256 to encrypt passwords

So, in the table above I have added a (for PHP only of course) crypt() version of the encrypted password. This has added salt + a more costly algorithm to encrypt the password. This reduces the number of guesses a hacker can make in a given time.

I'm not talking about someone typing a password into a log on form here. I'm talking about the web site's database being hacked, so that the attacker has a list of user names and hashed passwords. The hacker is able to make billions of guesses a second in some cases.