On Thu, May 6, 2010 at 2:14 PM, Nicholas Ilyin <nick.il...@gmail.com> wrote:
> However, appending any plaintext to your password and hashing that, such as > SHA(username+password+username) is useless from a mathematical standpoint as > the username is actually known to a potential hacker. The way that hash > functions work would mean that adding any additional bits which are known > will not increase the security of your resulting hash. > The attacker would need to generate a custom set of dictionary attacks that include the username, so it's not entirely useless. If they have the password hash, they have the database and, presumably, everything else on the server. There are no secrets from that sort of attacker. _______________________________________________ New York PHP Users Group Community Talk Mailing List http://lists.nyphp.org/mailman/listinfo/talk http://www.nyphp.org/Show-Participation
