P.S. - I'm not considering storing the salt in the DB as being properly secured. That's kind of like keeping the key to your house under the door mat. You can get in, if you know where to look.
-- Eric Marden -----Original Message----- From: Eric Marden [mailto:[EMAIL PROTECTED] Sent: Thursday, April 17, 2008 10:47 AM To: [email protected] Subject: RE: [fw-general] adding "salt" to logging in and password security Mike, Can you share with us a different approach? Because methinks if your properly secured 'salt value' has been stolen, you've got bigger problems than someone computing a dictionary of hashes with the value. -- Eric Marden -----Original Message----- From: Michael B Allen [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 16, 2008 6:34 PM To: cjant83 Cc: [email protected] Subject: Re: [fw-general] adding "salt" to logging in and password security On 4/16/08, cjant83 <[EMAIL PROTECTED]> wrote: > Having read some of the posts in this thread I think I'll be changing > it slightly to include a site wide salt key as well. I really don't understand some of the methods for salting passwords people are describing in this thread. The methods described in my post are established and accepted practices. If you invent your own thing you're only asking for trouble. In fact, a "site wide salt key" can be stolen as easily as your password database which completely defeats the purpose of salting passwords in the first place since the attacker can compute a dictionary of passwords with your fixed salt. Mike -- Michael B Allen PHP Active Directory SPNEGO SSO http://www.ioplex.com/
