Re: password hashing and crypt()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Richard Lynch wrote:

On Tue, January 22, 2008 7:43 pm, Chris wrote:
Richard Lynch wrote:
On Sat, January 19, 2008 8:24 pm, Eric Butera wrote:
I always make sure that I use a site specific salt which is just
appended on the user supplied value.  I started doing that when I
read
that people had created huge databases of hashed values that they
can
just search on.  At least this way no matter what the password
isn't a
dictionary word.  As for if that really adds value in the end I
can't
say as I'm not really a security expert.

Eg. hash('sha256', $input.$salt);
The Bad Guys create humongous databases of every dictionary word
with
every possible salt...  So what salt you use does not matter...
Sure it does. I could use my server name or the application's url, the
current time, whatever I like and put all of that in the salt. There's
no way they'll have that in their dictionary.

As long as I store the salt I know how to compare it again later.

For the algorithms used by crypt(), the salt is IN the crypted value.

Yeh - I pointed that out here:
http://marc.info/?l=php-general&m=120095678525654&w=2

But Eric's example was using sha256, not crypt.

--
Postgresql & php tutorials
http://www.designmagick.com/

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux