View Single Post
06-26-2008, 02:05 PM
is cute and cuddly
Join Date: Mar 2008
Location: Vegas, Baby
As you stated, if a hacker gains access to your database, having your salt visible is the least of your problems. However if you're still worried about maintaing security over your members passwords at this point, there are still things you can do. You can use a combination of the salt with another inconspicuous column (such as their username, or the date they registered, etc) in the hash, as well as using some random method to change where the salt is used in the hash (usernames beginning with a-m would be hashed SALT|PASSWORD|USERNAME, usernames n-z USERNAME|SALT|PASSWORD, etc).
If you want to get real crafty, and you happen to be using a timestamp somewhere in your table, pull thelast two numbers off of it and use them to chop your password in half and place the salt in the middle somewhere. PA|SALT|SSWORD or PASSW|SALT|ORD are much harder to brute force then SALT|PASSWORD and PASSWORD|SALT if the SALT is known.
This all may not stop a hacker from figuring it out, but it would definitely slow him or her right down. Again though, if a hacker has access to your user tables, how you hash should be the least of your concerns.
View Public Profile
Send a private message to delayedinsanity
Visit delayedinsanity's homepage!
Find More Posts by delayedinsanity