On Wednesday 08 July 2009 04:25:46 Carl Furst wrote:
> These are great ideas.
> Another option would be to have the user choose a pin number and use
> either the literal pin or the encrypted pin as part of the salt. This
> way only when you change the pin do you need to change the password,
> which is probably what you would want anyway.
> Michael A. Peters wrote:
> > Carl Furst wrote:
> >> <?
> >> $salt = 'someglobalsaltstring'; # the salt should be the same salt used
> >> when storing passwords to your database otherwise it won't work
> >> $passwd = crypt($_GET['passwd'], $salt);
> > I personally use the username and the salt.
> > That way two users with identical passwords have different hashes.
> > With large databases, many users will have the same password, there
> > are some that are just commonly used. The hackers know what they are,
> > and if they get your hash dump, they try their list of commonly used
> > passwords against the user names that have the common hashes.
> > By using the username as part of the salt, you avoid that issue
> > because identical passwords will have different hashes.
> > It does mean the password has to be reset if you allow them to change
> > their login name.
and then make a visit to their house to give them a secondary password that
they have to use. Make sure you're not tailed on the way to avoid the
password being intercepted...
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php