Richard Lynch wrote:
On Sat, January 19, 2008 8:24 pm, Eric Butera wrote:I always make sure that I use a site specific salt which is just appended on the user supplied value. I started doing that when I read that people had created huge databases of hashed values that they can just search on. At least this way no matter what the password isn't a dictionary word. As for if that really adds value in the end I can't say as I'm not really a security expert. Eg. hash('sha256', $input.$salt);The Bad Guys create humongous databases of every dictionary word with every possible salt... So what salt you use does not matter...
Sure it does. I could use my server name or the application's url, the current time, whatever I like and put all of that in the salt. There's no way they'll have that in their dictionary.
As long as I store the salt I know how to compare it again later. -- Postgresql & php tutorials http://www.designmagick.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
