On Mon, 2008-01-21 at 14:37 -0500, Mike Potter wrote: > > You should have said "yes" and quit while you thought you were ahead. I'm not trying to get "ahead"... I didn't know I was competing. Are we competing? I thought I was just answering posts. > > that was me saying that there is certainly a good reason to use a > > user defined salt-- legacy compatibility. The random salt is useless > > if you need to create a crypt()'d string that will match the crypt()'d > > string created by a C program 10 years ago-- > > Given that the scenario is a cracker who has your user/pass ID table, that > was never a stated goal, purpose or anything. > > > and so in this context, > > Okay, you win. I can't provide enough real world data to illustrate > exactly how wrong you are, in your view because, in your view all > this real world data does not get parsed properly. ??? > Myself and this is what you were talking around but wouldn't embrace, > I think the $salt and encryption method both count for a lot. Given > the same encryption method, why would a user-supplied $salt necessarily > be better than a random $salt? Answer that only, if you can and expect > a reply. I never said it would. I didn't even come close to saying a user defined salt would be better than a random salt given that the encryption method is the same. From what hat did you pull that? I merely indicated reasons why the user defined salt was necessary. Cheers, Rob. -- ........................................................... SwarmBuy.com - http://www.swarmbuy.com Leveraging the buying power of the masses! ........................................................... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
