"Milan Mimica"<[email protected]> wrote: > To make it slightly more secure, you can put a little salt in it: > > salt := 'Some random string I just cam up with 123' > > password:= SecureHashAlgorithm new hashMessage: salt, aClearTextPass. > > check: > password = SecureHashAlgorithm new hashMessage: salt, aPasswordAttempt. > > That way you make it more difficult for the attacker to brute-force guess > the password when the user supplies a weak password.
Note though that if the intent is to hardcode the hash (and presumably the salt as well) in the code it kinda defeats the purpose of the salt. Salt doesn't need to be secret, but it should be sufficiently unpredictable, so that the attacker cannot pre-compute the hashes easily. If the salt is fixed and well known, then it doesn't help. I guess my main point is that hardcoding the password in any shape or form is nearly useless, you may as well not bother. What is the goal ? What are you trying to protect against ? Answers to these questions should guide you to a solution. Once you pick a solution you should then think about how it fails and what can you do when it happens (What will you do when your hardcoded password becomes compromised ?). False security is often worse than no security. HTH, Martin
