So I'm writing my own CMS, for fun, but I'm trying to make everything pretty secure. I was wondering if anyone had input on the most secure way to store passwords in the database. I guess I've read that SHA1 is more secure than MD5, but I wasn't sure if that meant at all, or only if you don't apply a salt for the MD5.

So any suggestions would be good, I'd like to stick with one way hashes, and not encryption. Or you could just tell me how you do it.

SHA1 is generally more secure than MD5, even when not salted. It has, however, been cracked already, but only under rather complex circumstances. It is generally good enough™ for general purposes, and used in all sorts of huge installations.

Nothing is more secure than rot-13

Nothing is more secure than rot-13

Except double rot-13!

Nothing is more secure than rot-13

ROT-26?

Thanks guys. :p

What does MySQLs crypt function use?

I am also creating a CMS and my main admin password is stored in plain text in the config file!

:)

If the server is secure then the password is secure :)

What does MySQLs crypt function use?

I am also creating a CMS and my main admin password is stored in plain text in the config file!

:)

If the server is secure then the password is secure :)
The admin server, or the password to the mysql server?

I am also creating a CMS and my main admin password is stored in plain text in the config file!
Right. :) And that's how most web applications work. One must have the password stored somewhere in order to connect to the database. You can obfuscate it in your code, but in the end, your code will be sending the password in plaintext. So, if someone has access to the code enough to read the password (or the obfuscated version), you're already screwed.

The admin server, or the password to the mysql server?
The filesystem on the server. Provided someone can't connect and read the filesystem, it's safe to keep the password in a config file in plaintext. Of course, that file most definitely should be outside of the web root directory.

The password in my config file is the one that let's you login to the CMS. But brad is also correct, your "database user" that your script uses to connect is also stored in some of your scripts somewhere!

So, If you are creating a multi-user system where there could be quite a few users, I would still store the user passwords in plain text in the database so you can send password reminders, instead of a more complicated "reset password" system.