Yup - it's one way, so if you changed the salt you'd bust everything. The one-way-ness of it helps it be more secure as it is impossible (probably) to take an encrypted password and reverse it. When a user logs in Cake encrypts the value and compares it with the stored (encrypted) value to see if they match.
Jeremy Burns Class Outfit http://www.classoutfit.com On 21 Oct 2011, at 17:36, Shukuboy wrote: > Hi, > > I've been using Auth in a website under development and it seems to be > working fine. The only potential concern I have is that it uses the > 'salt' for generating the encrypted password, and obviously to check > it against provided password during login. > > My question is : > - Isn't md5 an irreversible ( technically) algorithm ? > - Is it really necessary to use the salt as part of the key that's > used for encryption using md5 ? Would that make it harder to crack > the password ? > - Is it a good practice to change the salt once in a while, or is it > supposed to stay the same ? What happens if the salt in the website > changes, would no user be able to login again ? > > As you might have guess cryptography isn't really my thing, and hence > appreciate if anyone could shed some light on these. > > Cheers, > > -- > Our newest site for the community: CakePHP Video Tutorials > http://tv.cakephp.org > Check out the new CakePHP Questions site http://ask.cakephp.org and help > others with their CakePHP related questions. > > > To unsubscribe from this group, send email to > [email protected] For more options, visit this group at > http://groups.google.com/group/cake-php -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/cake-php
