On Wed, 2008-01-23 at 00:40 -0500, Nathan Nobbe wrote:
> alright, so you guys have responded and im really appreciative.
> you have me thinking now..
> so what are the real issues here?
>
> 1. portability
> 2. security (obviously)
>
> im wondering now if crypt() is really even so practical. especially
> considering the deal where only 2 characters are prepended as the
> salt.
> in the article i referenced, what theyve done is written a function
> that creates a password with a salt whereby the entire salt
> will be used in the resultant hash (actually a definable portion thereof):
>
> define('SALT_LENGTH', 9);
>
> function generateHash($plainText, $salt = null)
> {
> if ($salt === null)
> {
> $salt = substr(md5(uniqid(rand(), true)), 0, SALT_LENGTH);
> }
> else
> {
> $salt = substr($salt, 0, SALT_LENGTH);
> }
>
> return $salt . sha1($salt . $plainText);
> }
>
> i must admit that i didnt realize they were not using crypt() in this
> function.
> i must have glazed over it :(
> after all this discussion, im now mostly looking for a reason to use crypt()
> rather than to implement a function such as the one above. it has the
> advantage of a known, consistent algorithm, that will be used to generate
> the hash, rather than one that could potentially change on a per system or
> future release basis; and the salt isnt limited to 2 characters.
Other than supporting legacy apps that used crypt() I don't see any
reason to use it now.
Cheers,
Rob.
--
...........................................................
SwarmBuy.com - http://www.swarmbuy.com
Leveraging the buying power of the masses!
...........................................................
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
