vr_driver
-
Posts
2 -
Joined
-
Last visited
Posts posted by vr_driver
-
-
Hi Larry,
I've been starting to think about this topic recently, (with all the recent hacking and stuff) and although I'm no expect in this field, I was a little surprised to read about storing the salt in the database. If a hacker stole the database, they'd be able to find the salt right there, and work their magic...
As ignoramous at this, would it be better to use the password as a salt, such as this?
$password = "banana"$salt = sha1(md5($password));$password = md5($password.$salt);I was looking at this page for the example: http://pbeblog.wordpress.com/2008/02/12/secure-hashes-in-php-using-salt/
I don't know how other people use the salt, but I would want to embed it in the files, or store it either... I thought about using values that were constant, or specifically related to the user, eg, the username, an id number etc, but all these could still "in theory" change, and effect the salting of a password.
So the only thing I could think of, was make salt, based on the password...
What are your thoughts?
I don't know what's in your 4th book, and maybe this has been addressed, or is a common question, I don't know. Just thought I'd ask some pros.
Thanks,
-Steve
Chapter 12 Page 387 - Database Stored Salt
in PHP 6 and MySQL 5 for Dynamic Web Sites: Visual QuickPro Guide (3rd Edition)
Posted
Hi Larry,
Thanks for your honest answers. I'll go and have a look at that article, and I appreciate your feedback on this.
Cheers, Steve