Best way to use salts?
View Single Post
08-28-2009, 07:01 PM
Join Date: Sep 2007
Originally Posted by
Yeah you really need to be able to retive the value of the salt for each logon which is why I suggested storing it in database.
I would have thought something like sha1(md5($password)), $salt); would be secure enough wouldn't it?
There is no advantage in double hashing, in fact it is less secure to do it that way. This is because there are fewer combination of MD5 outputs than possible input strings. MD5 also outputs a base-16 number, so certain characteristics are a given. This can narrow down attacks a lot. A cracker who find out you pass it through MD5 first will know for a fact that it only contains a-f and 0-9, it is also always 32 digits. Although realistically it won't make too much of a difference.
View Public Profile
Send a private message to Village Idiot
Find More Posts by Village Idiot