Hey,
Interesting topic. I use a method similar to one mentioned above where I
have username,password and salt fields in a users db table.The salt is
generated on registration and is a random 5 character block using this:
$mysalt = substr(md5(uniqid(rand(), true)), 0, 5);
On login form submit I lookup the salt key by passing the submitted
(filtered) username to this model:
public static function getSalt($username)
{
$db = new Auth();
$query = $db->select()
->where('username = ?', $username);
return $db->fetchRow($query);
}
.... if no username was found I 'return' the user to the login form with a
message saying user/pass combination was wrong. If a record was found I
continue with the Auth code in the controller, but add this important line
(in bold):
$authAdapter = new Zend_Auth_Adapter_DbTable(Zend_Registry::get('db'));
$authAdapter->setTableName('users');
$authAdapter->setIdentityColumn('username');
$authAdapter->setCredentialColumn('password');
$authAdapter->setIdentity($username);
$authAdapter->setCredential(md5(md5($password) . $user->salt));
$auth = Zend_Auth::getInstance();
$result = $auth->authenticate($authAdapter);
$user->salt being the value that was returned from the query above.
Having read some of the posts in this thread I think I'll be changing it
slightly to include a site wide salt key as well.
Chris.
Holger Lampe wrote:
>
> Oh, I think I misunderstood the whole thing, or didn't I?
> I am using MySQL DB. So the blowfish (salt) is stored in the same row of
> the user who is logging in?
>
> I expected it to be a combination of the password and salt which gets
> md5'ed and compared against the password value in the db.
>
> Like:
>
> $authAdapter->set...
> ...
> ->setCredentialTreatment("MD5(?)")
> ->setCredential($password . $salt)
>
>
> But I see, there would not be any benefit.
>
> So blowfish should be an actual field in my users table?
>
> Cheers,
> Holger
>
>
> -----Original Message-----
> From: Joó Ádám [mailto:[EMAIL PROTECTED]
> Sent: Sunday, April 13, 2008 3:04 AM
> To: Josh Team
> Cc: Holger Lampe; [email protected]
> Subject: Re: [fw-general] adding "salt" to logging in and password
> security
>
> On Sun, Apr 13, 2008 at 1:52 AM, Josh Team <[EMAIL PROTECTED]> wrote:
>> Maybe I am missing something, but doesn't storing the salt in plain texas
>> in
>> the same row as the user in question defeat a main purpose of a salt in
>> data
>> integrity / security if compromised? The only thing you are achieving
>> with
>> your salt by storing it in such a way is making the hash value harder to
>> decider over sniffing which is a small (imo) feature of salting
>> passwords.
>
> I understand now. Using different hash values per password makes it
> much harder to bruteforce them. Of course, the best way would be to
> use both a main salt hash, and one for each record.
> And Holger: maybe you should use apostrophes around $blowfish, so:
>
> ->setCredentialTreatment("MD5(CONCAT(?, '$blowfish'))")
>
> Hope that helps.
>
>
> Regards,
> Ádám
>
>
>
--
View this message in context:
http://www.nabble.com/adding-%22salt%22-to-logging-in-and-password-security-tp16646218p16734464.html
Sent from the Zend Framework mailing list archive at Nabble.com.
