For an example, look at how UNIX/Linux stores regular login passwords. In short, the salt is the first two characters in the password. When comparing passwords, you take the salt and the user supplied password, encrypt, then compare the two encrypted strings. If they match, the recently supplied password matches the original. AFAIK, that is the only way to verify passwords encrypted with a one-way algorithm. Giff -----Original Message----- From: chris smith [mailto:dmagick@xxxxxxxxx] Sent: Monday, April 17, 2006 4:36 PM To: Sean Mumford Cc: php-db@xxxxxxxxxxxxx Subject: Re: MD5, MySQL, and salts On 4/18/06, Sean Mumford <smumford@xxxxxxxxxxxxxxxxxx> wrote: > Hi Guys, > I'm working on securing user passwords in a MySQL 4 database with a > PHP5 frontend. I remember being told in one of my classes (I'm > currently a college junior) that the best way would be to hash a salt > and the password together and then store the hash in the database > instead of the plain MD5 hash. My question is, what is a good method > for the server and the database to agree on a salt value to use? I > know i could use a predefined variable, but I was wondering if > something dynamic might be better (timestamp, current date, something like that). Any ideas? Thanks in advance! If it's a dynamic salt, how are you going to access it when you have to compare ? There was an article either on phpsec.org or shiflett.org which talks about this.. can't find the link right now :( -- Postgresql & php tutorials http://www.designmagick.com/ -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
