08-28-2009, 07:01 PM
|
#7 (permalink)
|
|
Wizard
Join Date: Sep 2007
Posts: 1,299
Thanks: 17
|
Quote:
Originally Posted by eStrategy
Yeah you really need to be able to retive the value of the salt for each logon which is why I suggested storing it in database.
I would have thought something like sha1(md5($password)), $salt); would be secure enough wouldn't it?
|
There is no advantage in double hashing, in fact it is less secure to do it that way. This is because there are fewer combination of MD5 outputs than possible input strings. MD5 also outputs a base-16 number, so certain characteristics are a given. This can narrow down attacks a lot. A cracker who find out you pass it through MD5 first will know for a fact that it only contains a-f and 0-9, it is also always 32 digits. Although realistically it won't make too much of a difference. |
|
|
|