On Fri, Apr 18, 2008 at 10:34 AM, <[EMAIL PROTECTED]> wrote: > Hi Eric and all the others who have problems with "salts", > > there is no problem to store your "salts" with your hashed passwords in > your db. > You could read that here: > > http://phpsec.org/articles/2005/password-hashing.html > > There they explain why and how you should use a "salt". > > Greetings > Sascha > > -----Ursprüngliche Nachricht----- > Von: Michael B Allen [mailto:[EMAIL PROTECTED] > Gesendet: Donnerstag, 17. April 2008 19:20 > An: Eric Marden > Cc: [email protected] > Betreff: Re: [fw-general] adding "salt" to logging in and password > security > > On 4/17/08, Eric Marden <[EMAIL PROTECTED]> wrote: > > >> P.S. - I'm not considering storing the salt in the DB as being > > >> properly secured. That's kind of like keeping the key to your house > > >> under the door mat. You can get in, if you know where to look. > > > > > The UNIX passwd database and LDAP userPassword attribute store the > > salt in plain sight with the password hash. > > > > > > There are ACLs protecting those assets. > > There are no ACLs on the UNIX password datbase and even if there were > they wouldn't do any good if the hacker steals the database file(s) > (e.g. slapd dbm files). > > > Still failing to see your point. > > Clearly. > > _________________________________________________________________________ > In 5 Schritten zur eigenen Homepage. Jetzt Domain sichern und gestalten! > Nur 3,99 EUR/Monat! http://www.maildomain.web.de/?mc=021114 > > That website mentions storing these hashes in the database just to make every password hash look different for every user, this only doesn't increase protection from brute force attacks therefor I advice you to use a double salt, a static one which is located outside of your web root and a random generated salt to ensure that the hash will be unique.
-- Isaak Malik Web Developer
