That's right - you'd have to ask them for their password if they updated those details. However, it would mean an administrator could never change those fields, otherwise the password would become invalidated because the salt would now be different.
2008/11/6 Aaron Cooper <[EMAIL PROTECTED]>: > > Obviously update the entire hash on whichever action applies to the salt > too. > > Assuming ofcourse that you ask the user to enter their original password > whenever they perform such and action. (pretty common when changing email > addresses) > > A little more work tho. > > > ----- Original Message ----- > From: "Chris Hope" <[EMAIL PROTECTED]> > To: <[email protected]> > Sent: Thursday, November 06, 2008 12:51 PM > Subject: [phpug] Re: Hash sailting best practise > > >> >>> Philip> Just randomly generate a string. >>> >>> Or use the username or email itself as the salt. So you won't have to >>> store the salt. This is secure enough. >> >> But what happens if they change their username or email address? >> >> -- >> Chris Hope >> The Electric Toolbox Ltd >> >> Email: [EMAIL PROTECTED] >> Web: www.electrictoolbox.com >> Phone: +64 9 522 9531 >> Mobile: +64 21 866 529 >> >> > > > > > > -- Chris Hope The Electric Toolbox Ltd Email: [EMAIL PROTECTED] Web: www.electrictoolbox.com Phone: +64 9 522 9531 Mobile: +64 21 866 529 --~--~---------~--~----~------------~-------~--~----~ NZ PHP Users Group: http://groups.google.com/group/nzphpug To post, send email to [email protected] To unsubscribe, send email to [EMAIL PROTECTED] -~----------~----~----~----~------~----~------~--~---
