Complex Password and Password Expiry in 30 days

bsandhu

Hi,

I have a PHP-MySql website with a simple Username + Password login. However I wondered if anybody knows a better form of authentication (without using SSL/ certificates etc).

Basically I need a more complex password, and a password expiry of 30 days, prompting users to change their password etc.

How do you force a password of greater then 8 chars etc?

Is their any encryption techniques that a PHP novice could use?

Many thanks

Bhups

bhupinder_sandhu@hotmail.com

planetsim

Firstly you can use

strlen(); for password length
md5(); to hash the password do not get this mixed with encryption. This a one way hash meaning the only way a user can get the password is by bruteforce.

Sxooter

Look for libcrack and setup PHP to use it using the --with-crack switch before compiling (seriously, that's the name of the switch)

Read up on this section of the manual for the rest:

http://www.php.net/manual/en/ref.crack.php

As for 30 day expiry, just set a date when they change their password and check it every time they log in to see if today's date is 30 days or more newer than the one you stored when they changed their password.

Note that the php.ini file has a "auto_prepend_file =" setting you can use to put a simple check like this at the top of every page that the php engine parses.