Do everything that Edward says. It's good advice. Something else that I do when working with passwords is to add a second application wide salt to the nonce just to make it yet more complex. Then once that is hashed I hash it again 5-10 more times. Just makes it more and more difficult to create any kind of rainbow table for the application.
Jason Dean has a bunch of articles on Password security and hashing and code samples for handling it: http://www.12robots.com/index.cfm/2008/5/18/Password-Security-with-Hashing-Functions--Security-Series-4.2 http://www.12robots.com/index.cfm/2008/5/19/More-on-Hashing-Functions-Security-Series-4.2.1 http://www.12robots.com/index.cfm/2008/5/21/Salting-Passwords-Security-Series-4.3 http://www.12robots.com/index.cfm/2008/5/29/Salting-and-Hashing-Code-Example--Security-Series-44 http://www.12robots.com/index.cfm/2008/6/2/User-Login-with-Salted-and-Hashed-passwords--Security -Series-45 They are a great place to start reading on the topic. -Daniel Sellers www.designfrontier.net -- Open BlueDragon Public Mailing List http://www.openbluedragon.org/ http://twitter.com/OpenBlueDragon mailing list - http://groups.google.com/group/openbd?hl=en !! save a network - please trim replies before posting !!
