https://bugzilla.wikimedia.org/show_bug.cgi?id=28419
--- Comment #11 from Aryeh Gregor <[email protected]> 2011-05-11 19:55:42 UTC --- I'd say the best thing to do is store a hash of the secret salt in the database. If the secret salt is, say, a 40-byte hexadecimal string, a hash won't disclose any info about it. Then before storing or checking any passwords, verify that the salt in config matches the hash in the database, and abort with a specific error if it doesn't. That will detect if the salt has changed as well as if it's not configured. It will also catch errors when storing new passwords, not just retrieving old ones, so you don't have different passwords stored with different secret salts. -- Configure bugmail: https://bugzilla.wikimedia.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug. _______________________________________________ Wikibugs-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikibugs-l
