On Tue, Jul 7, 2009 at 11:05 PM, Michael A. Peters<mpeters@xxxxxxx> wrote: > Carl Furst wrote: > >> >> <? >> $salt = 'someglobalsaltstring'; # the salt should be the same salt used >> when storing passwords to your database otherwise it won't work >> $passwd = crypt($_GET['passwd'], $salt); > > I personally use the username and the salt. > That way two users with identical passwords have different hashes. > > With large databases, many users will have the same password, there are some > that are just commonly used. The hackers know what they are, and if they get > your hash dump, they try their list of commonly used passwords against the > user names that have the common hashes. > > By using the username as part of the salt, you avoid that issue because > identical passwords will have different hashes. > > It does mean the password has to be reset if you allow them to change their > login name. > The password does not need to be reset. You could require that they provide the password again (even though they are already authenticated) on the same form with the new username. Then you can do the same encrypt/compare that you do for authentication, and if it matches you just update the username and the hash at the same time. Andrew -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php