On Wednesday 08 July 2009 04:25:46 Carl Furst wrote: > These are great ideas. > > Another option would be to have the user choose a pin number and use > either the literal pin or the encrypted pin as part of the salt. This > way only when you change the pin do you need to change the password, > which is probably what you would want anyway. > > Michael A. Peters wrote: > > Carl Furst wrote: > >> <? > >> $salt = 'someglobalsaltstring'; # the salt should be the same salt used > >> when storing passwords to your database otherwise it won't work > >> $passwd = crypt($_GET['passwd'], $salt); > > > > I personally use the username and the salt. > > That way two users with identical passwords have different hashes. > > > > With large databases, many users will have the same password, there > > are some that are just commonly used. The hackers know what they are, > > and if they get your hash dump, they try their list of commonly used > > passwords against the user names that have the common hashes. > > > > By using the username as part of the salt, you avoid that issue > > because identical passwords will have different hashes. > > > > It does mean the password has to be reset if you allow them to change > > their login name. and then make a visit to their house to give them a secondary password that they have to use. Make sure you're not tailed on the way to avoid the password being intercepted... Thanks, Ash http://www.ashleysheridan.co.uk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
