You guys are very bullish on option #1. An interesting idea to bring up is the idea of having different 'security realms' so if one aspect of the application is compromised the whole is not. Leaving the salt in the same place as the hash is akin to leaving the keys by the back door. Having the salt hardcoded in the application, means that if someone manages to access your database, or as is more common uses Google to find a database backup in a tar file, they cannot see the salt and so the hash values are then worthless.
Let me know what you guys think. -Stig Philip Arndt wrote: > Yes, I agree with Harvey on this one. This is approach I've > successfully used in the past to migrate an existing userbase. > (+1 to this approach) > > On 6/11/2008, at 11:40 AM, Harvey Kane wrote: > > >> If you have an existing unsalted userbase, #1 is probably the best >> bet. >> You can salt the passwords one at a time, as and when the user logs in >> next. With the global option, how do you know which passwords are >> salted >> and which are not? (obviously not an issue for a new project) >> >> To salt an existing password... >> eg >> User logs in. >> Check to see if password is salted - if it's not (the salt field is >> empty) then... >> Randomly create a salt, add it on to $_POST['password'] and re-hash. >> Save salt and new hashed password to database. >> >> When salting passwords, you might want to re-test the user profile >> page, >> change password page, and forgot password page (if you have them) >> which >> are likely to break. >> >> Hope that helps, >> >> Harvey. >> >> >> Aaron Cooper wrote: >> >>> 1. Add another field to the user table for storing the salt (in plain >>> text) that was generated randomly upon registration. (or use another >>> peice of user info, like registration date) >>> --~--~---------~--~----~------------~-------~--~----~ NZ PHP Users Group: http://groups.google.com/group/nzphpug To post, send email to [email protected] To unsubscribe, send email to [EMAIL PROTECTED] -~----------~----~----~----~------~----~------~--~---
