Best method for storing and validating login credentials
I'm relatively new to PHP. Currently I'm using md5() to hash and store passwords. Something like:
According to the PHP manual, crypt() with blow fish is the way to go [unless you think my md5() hashing method above is sufficient]:
$salt = 'SomeSaltString'; //fixed salt
$password = 'SomePassword';
$pass = md5($salt . $password);
However, I don't quite understand how to implement this correctly. A few questions:
$hash = crypt('SomePassword', '$2a$07$StrThatIs21Characters$');
1]. $2a indicates strength level?
2]. $07 something to do with round trips? Please elaborate further on this...
3]. StrThatIs21Characters$ - salt needs to be 22 chars in length including the $. Should this be a fixed salt?? I'm getting conflicting info on this...
These are the important implementation questions:
4]. What part of the output should be stored in the database [in the password column]?
5]. What data type best suits the password column? Perhaps nvarchar?
6]. How should a login attempt be verified when using this method?