Well, the idea would be to allow the person downloading and implementing the application to choose their own salt value. That way, in theory, each implementation of the application will be salting the hash algorithm with a different value. I guess, if you really wanted to get tricky, you could programatically generate a random string on first run of the application and store it in a background db or in your config file, so that you could be more certain that the salt value from implementation to implementation was different. M is for Murray On Thu, Jan 1, 2009 at 12:12 AM, Jason Pruim <japruim@xxxxxxxxxx> wrote: > > On Dec 31, 2008, at 5:36 AM, Richard Heyes wrote: > > Hi, > > ... > > > You should also take into account how crucial your data is. If it's > nuclear launch codes I would say that you can't get enough security. > Howver if it's an admin system for Bobs local grocery store, then as > "Phpster" suggested, a salted hash may well be enough. For example, > you could use this: > > <?php > $hash = md5($password . 'salt - > bhuyfuyftyfctujvikhgvbhjiftye5645rt68ty97tgifyvcu6yt7d'); > ?> > > > Correst me if I'm wrong... but assuming that your salt string is hard coded > into the program, with a MD5 a password + salt is no more secure then a > simple password? > > Unless... When they log in, you store a MD5 hash of the salt in a separate > field in the database, and store it on in a cookie so it can be compared. > > Or am I just missing something obvious like usual? :) > > > -- > Jason Pruim > japruim@xxxxxxxxxx > 616.399.2355 > > > >
