On Fri, Apr 18, 2008 at 9:38 PM, Jim Scherer <[EMAIL PROTECTED]> wrote: > > Thanks, I've added the use of salt to my Auth. I added a field passwordSalt > to every row of my table. Some of you don't like that, but I did so with > what I think gives it a little more flair. I've hardcoded a couple of > substr($passwordSalt, y, n) to surround my password, so good figuring how I > salted it.
You're only opening the door for a mistake. And if you later decide that you want to move the password database to something like LDAP, all of your users will have to reset their passwords. > I don't know much about this but do you think Zend_Auth_Adapter_DbTable > should be altered to add > > ->setSalt (pass value or variable used for Salt) > ->setSaltShaker ( Zend_Auth_Hash::MD5SALT) There's really no need to parameterize the salt if you use an established hashing method. What could be parameterized is the password hashing method and corresponding method for checking a plaintext password. > where setSaltShaker uses the values in setCredentialColumn and setSalt to > build some standard hashing: > > Zend_Auth_Hash::MD5 ............ md5 ( setCredentialColumn() ) > Zend_Auth_Hash::SALTMD5 .... md5( setCredentialColumn() . setSalt() ) > Zend_Auth_Hash::SHA1 .......... sha1( setCredentialColumn() ) > Zend_Auth_Hash::SALTSHA1 ... sha1( setCredentialColumn() . setSalt() ) Like the hashing methods themselves, their names are already fairly well established: PLAIN (also frequently called CLEAR) CRYPT EXT_DES MD5_CRYPT BLOWFISH MD5 SHA SMD5 SSHA SSHA256 SSHA384 SSHA512 If you have a choice use an SSHA based method. All of the crypt(3) based methods are highly deprecated. Mike -- Michael B Allen PHP Active Directory SPNEGO SSO http://www.ioplex.com/
