Carl Furst wrote:
<?
$salt = 'someglobalsaltstring'; # the salt should be the same salt used
when storing passwords to your database otherwise it won't work
$passwd = crypt($_GET['passwd'], $salt);
I personally use the username and the salt.
That way two users with identical passwords have different hashes.
With large databases, many users will have the same password, there are
some that are just commonly used. The hackers know what they are, and if
they get your hash dump, they try their list of commonly used passwords
against the user names that have the common hashes.
By using the username as part of the salt, you avoid that issue because
identical passwords will have different hashes.
It does mean the password has to be reset if you allow them to change
their login name.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
