Other - Tip for storing encrypted passwords

Some of you probably already do this, but I thought this was a great tip and well worth sharing.

If you are storing encrypted passwords, don't simply encrypt the password entered by the user, chances are they won't pick a very secure password and it will be easy to decrypt. Instead, take their username or email (whichever they login with) and join it onto their password, i.e.:

joe.bloggs@abc.commypassword

And encrypt the whole thing with MD5 or your preferred encryption method.

On the login screen, join the users username with the password they enter, encrypt, and check for a match in the database. If you accept either username or email for a login and the password they give is incorrect once you join it, get the users email or username (which ever they didn't enter) using their login name as an ID and try joining the password again.

If the user wants to update either their username or email (whichever you used to encrypt their password) simply ask them to confirm their password, and join the two together again, call it a security check!

For updating their password simply get their username from their login session, or just ask for it as another security check!