Carl Furst wrote:



<?
$salt = 'someglobalsaltstring'; # the salt should be the same salt used
when storing passwords to your database otherwise it won't work
$passwd = crypt($_GET['passwd'], $salt);

I personally use the username and the salt.
That way two users with identical passwords have different hashes.

With large databases, many users will have the same password, there are some that are just commonly used. The hackers know what they are, and if they get your hash dump, they try their list of commonly used passwords against the user names that have the common hashes.

By using the username as part of the salt, you avoid that issue because identical passwords will have different hashes.

It does mean the password has to be reset if you allow them to change their login name.

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to