Marco, Aha... Thanks. I guess there is no need to add a salt if I'm the only admin using the database interface. But I guess if you want to be more secure etc it would be best to add it so if someone grabbed the database they will find no matches. I really have to look into making my databases more secure than they already are. Any good websites that is good reading for this? I mean reliable sites with no bull ***rubbish*** which does not send on the wrong messages. Jerry --- Marco Tabini <marcot@tabini.ca> wrote: > On Tue, 2003-06-24 at 09:36, JeRRy wrote: > > Hi, > > > > Hmmm okay... So if the passowrd was. > > > [snip] > > There are ways to avoid this. Typically, you can add > a random token (or > a salt) to the password before you calculate its > checksum. This way, two > users with the same password will have two different > hashes. > > However, a brute-force approach as the one suggested > is *not* quite as > simple and powerful as it looks. assuming that there > are even just 62 > valid characters for the password > (uppercase+lowercase+digits) to go > over passwords as short as five characters you'd > have to do 380,204,032 > iterations. Add one more digit and you're already up > to 19,770,609,664. > Sure, these are not insurmountable numbers, but they > quickly add up with > more and more characters (and I'm not even counting > all the > possibilities when it comes to making this more > secure). > > Mt. > http://mobile.yahoo.com.au - Yahoo! Mobile - Check & compose your email via SMS on your Telstra or Vodafone mobile. -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
