11-01-2009, 08:38 PM
|
#14 (permalink)
|
|
The Addict
Join Date: May 2009
Posts: 287
Thanks: 5
|
Quote:
Originally Posted by Rhinos
So each user will have their own salt stored in the database?
|
Yes, you should store the clear-text version of the salt and a hashed version of the salt + password.
You then grab the incoming data $_GET/$_POST and hash it (with the given salt) and compare the newly hashed data against the string stored in the database. If they match then you have a successful login, else you need to send an error.
Quote:
Originally Posted by Rhinos
I'm still unconvinced by your use of a random string generator for the salt.
Surely ryanmr's method as well as mine would be better?
|
The length of a salt doesn't matter a great deal, the idea is to combine the password with any length of unknown characters. This way a brute force attack would have to contemplate more data than just a simple password. If a hackers gains access to your database then they still have to check the possibilities.
Salts are just used to increase security for resistance against brute force attacks, the unknown variable is a great asset for securing user accounts. |
|
|
|