Oh, I think I misunderstood the whole thing, or didn't I?
I am using MySQL DB. So the blowfish (salt) is stored in the same row of the
user who is logging in?
I expected it to be a combination of the password and salt which gets md5'ed
and compared against the password value in the db.
Like:
$authAdapter->set...
...
->setCredentialTreatment("MD5(?)")
->setCredential($password . $salt)
But I see, there would not be any benefit.
So blowfish should be an actual field in my users table?
Cheers,
Holger
-----Original Message-----
From: Joó Ádám [mailto:[EMAIL PROTECTED]
Sent: Sunday, April 13, 2008 3:04 AM
To: Josh Team
Cc: Holger Lampe; [email protected]
Subject: Re: [fw-general] adding "salt" to logging in and password security
On Sun, Apr 13, 2008 at 1:52 AM, Josh Team <[EMAIL PROTECTED]> wrote:
> Maybe I am missing something, but doesn't storing the salt in plain texas in
> the same row as the user in question defeat a main purpose of a salt in data
> integrity / security if compromised? The only thing you are achieving with
> your salt by storing it in such a way is making the hash value harder to
> decider over sniffing which is a small (imo) feature of salting passwords.
I understand now. Using different hash values per password makes it
much harder to bruteforce them. Of course, the best way would be to
use both a main salt hash, and one for each record.
And Holger: maybe you should use apostrophes around $blowfish, so:
->setCredentialTreatment("MD5(CONCAT(?, '$blowfish'))")
Hope that helps.
Regards,
Ádám
