Stig Manning wrote: > You guys are very bullish on option #1. > > An interesting idea to bring up is the idea of having different > 'security realms' so if one aspect of the application is compromised the > whole is not. Leaving the salt in the same place as the hash is akin to > leaving the keys by the back door. > Having the salt hardcoded in the application, means that if someone > manages to access your database, or as is more common uses Google to > find a database backup in a tar file, they cannot see the salt and so > the hash values are then worthless.
You can always use both if you think this is valuable. The nice thing about salts is that it's not significantly more expensive to have both an app-based salt and a salt stored in the database. -- Tim Oliver [EMAIL PROTECTED] --~--~---------~--~----~------------~-------~--~----~ NZ PHP Users Group: http://groups.google.com/group/nzphpug To post, send email to [email protected] To unsubscribe, send email to [EMAIL PROTECTED] -~----------~----~----~----~------~----~------~--~---
