I would hope that PHP isn’t guarding the database, or hashing the passwords used to access the database.
I mean, it really doesn’t matter how tight the lock is on your jewelry box, if the house is unlocked the attacker can walk in, take the box, and crack it at leisure.
(The only real point of home security safes is fire protection in my opinion, unless they are bolted down somehow or too large for two men to lift easily).
Certainly yes. But I’d say that md5 can be safe for password hashing provided you have a very strong and long password (unless a vulnerability in md5 was found that enables reverse engineering the original string from the hash). The problem is that most people’s passwords can be brute forced by a dictionary attack and using a fast algorithm as md5 makes this task really easy. Once the password is strong then the hacker’s only method is brute forcing all possible combinations, which gets really hard for strong passwords. But I wouldn’t be surprised if even this became feasible soon considering the advances in processing power.
I don’t really see your point, are you presenting some argument against what I said or is this an unrelated statement about security? Of course, you are right but I don’t think a jewelry box is a good analogy because I’d imagine you can’t really make a box that can’t be broken by force with any existing equipment and once you get to the content you can sell it and become a rich man, in other words the burglar can do the real damage. Hashing password is more like keeping your mobile phones and laptops password protected on the hardware level. This will not prevent the thief from taking your equipment but he will not be able to do anything with it if he doesn’t know the passwords or can brake the protections. And what’s more, the protections are only for the passwords, other data is there for the taking. It’s a bit disappointing that hashing passwords takes care of only such a small fraction of security. Did anyone think that hashing prevents against breaking the server?
It’s hashing user passwords, so that this bit of user data can’t be read even if the database is exposed.
We use specially designed, time-consuming algorithms so that “at their leisure” still means decades or longer.