These are great ideas. Another option would be to have the user choose a pin number and use either the literal pin or the encrypted pin as part of the salt. This way only when you change the pin do you need to change the password, which is probably what you would want anyway. Michael A. Peters wrote: > Carl Furst wrote: > >> >> <? >> $salt = 'someglobalsaltstring'; # the salt should be the same salt used >> when storing passwords to your database otherwise it won't work >> $passwd = crypt($_GET['passwd'], $salt); > > I personally use the username and the salt. > That way two users with identical passwords have different hashes. > > With large databases, many users will have the same password, there > are some that are just commonly used. The hackers know what they are, > and if they get your hash dump, they try their list of commonly used > passwords against the user names that have the common hashes. > > By using the username as part of the salt, you avoid that issue > because identical passwords will have different hashes. > > It does mean the password has to be reset if you allow them to change > their login name. > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php