Using one salt hash, programmed directly in your application has the
benefit that if the database was stolen, the attacker didn't know it;
using a salt hash stored in the same row for every password has the
benefit that is more likely that the attacker has the MD5 hash of a
password like 'secret', but very unlikely if it is 'secretdjtn3h
n4vZ!+%ZB%Kmgtw4667jz++T!%RHj7kj.)' (I use a 50 character long value),
so he have to compute an entire dictionary just to crack one password.
Regards,
Ádám
On Sun, Apr 13, 2008 at 7:01 AM, Holger Lampe <[EMAIL PROTECTED]> wrote:
> Oh, I think I misunderstood the whole thing, or didn't I?
> I am using MySQL DB. So the blowfish (salt) is stored in the same row of the
> user who is logging in?
>
> I expected it to be a combination of the password and salt which gets md5'ed
> and compared against the password value in the db.
>
> Like:
>
> $authAdapter->set...
> ...
> ->setCredentialTreatment("MD5(?)")
> ->setCredential($password . $salt)
>
>
> But I see, there would not be any benefit.
>
> So blowfish should be an actual field in my users table?
>
>
> Cheers,
> Holger
