On 4/18/06, Giff Hammar <ghammar@xxxxxxxxxxxxxxxxxx> wrote: > For an example, look at how UNIX/Linux stores regular login passwords. In > short, the salt is the first two characters in the password. When comparing > passwords, you take the salt and the user supplied password, encrypt, then > compare the two encrypted strings. If they match, the recently supplied > password matches the original. AFAIK, that is the only way to verify > passwords encrypted with a one-way algorithm. I badly worded my response, but yes you're right. Anyway I found the article I was thinking of: http://phpsec.org/articles/2005/password-hashing.html (which ironically suggests the opposite of what I said - use a random salt :P). -- Postgresql & php tutorials http://www.designmagick.com/ -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php