Thread: Password salts
View Single Post
Old 06-26-2008, 12:12 AM   #5 (permalink)
delayedinsanity
The Gregarious
 
delayedinsanity's Avatar
 
Join Date: Mar 2008
Location: Cana'derr
Posts: 653
Thanks: 24
delayedinsanity is on a distinguished road
Default

Quote:
Also, be mindful not to change the salt. If you do, everyones passwords will no longer work.
Another good reason to read Wildhoney's dynamic salt articles. I originally used a static salt with my encryption, and ran into this problem - if I wanted to change the salt, I had to write another routine just to loop through the entire table and rehash everybody's passwords. Easy enough on a test system with 20+ users, not so good on a user base of 1,000-20,000 (pretty darn easy to reach on some of todays sites).

When I switched it to a dynamic salt this became a moot point. When the user changes their password, a new salt is created, if they forget their password and need a new one emailed to them, a new salt is created, and so on and so forth. So everybody has their own dynamically created self updating salt. Makes the system more secure, and ironically simpler.
-m
delayedinsanity is offline  
Reply With Quote
The Following User Says Thank You to delayedinsanity For This Useful Post:
h0ly lag (06-26-2008)