On Sat, January 19, 2008 2:11 pm, Nathan Nobbe wrote: > http://www.php.net/manual/en/function.crypt.php > has a second parameter, $salt, which, if not supplied will be > automatically > generated and presumably become a prefix or suffix of the returned > string. Or, in some algorithms, gets buried in the middle at a known offset. Go figure. > now, the article on the phpsec website > http://phpsec.org/articles/2005/password-hashing.html > recommends to externally create a salt and to store that in a separate > field > in the database, which would then be used for subsequent password > verification. You would not need to store it separately, as it is built-in to the crytped value anyway. > theoretically, however, if the password is generated without a user > supplied > salt, > there is a salt already embedded in the password anyway. True. > so, i have the following questions > > 1. is the phpsec technique bloated or unnecessary A bit of bloat, but you have to have a million records or it to even start to matter, really... Disk space is cheap, and not going to be your bottleneck. > 2. is it better to create a user supplied salt, and why or why not Do *NOT* let PHP pick the salt for you. Here is why. Suppose server/host A has Blowfish, Twofish, Redfish, etc, all installed. PHP will pick the "best" one, and choose the salt that makes sense for that algorithm. Now suppose server/host B does NOT have that algorithm installed, and you have moved to server/host B. Suddenly, PHP is picking a different algorithm, and your database has two different kinds of passwords in it, and all kinds of problems ensue. If YOU pick the appropriate salt length/format, PHP will "know" which algorithm you are using, and will error out if that algorithm is not installed, which means you can do something intelligent (like install the dang thing) rather than fill up your DB with incompatible password algorithms. This has happened to me, and it was a royal PITA. :-) > 3. is crypt() 'intended' to be used w/o a user provided salt, since > it > is a stable algorithm I think the intent of making it optional was Good, but in Practice, it's just a Bad Idea (tm). -- Some people have a "gift" link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php