11-17-2007, 07:03 PM
|
#9 (permalink)
|
|
The Addict
Join Date: Nov 2007
Posts: 282
Thanks: 61
|
Quote:
Originally Posted by Haris
My salt is 7 characters salt stored in DB and in the password row, the password is md5 of salt and the password.
The salt is randomly generated, either when the user is created or if the user changes the password.
However, if the hacker has access to my MySQL server, he can modify the salt and regenerate the password field with md5 hash generators that is ONLY if he knew how I generate the passwords within the code.
Edit: Adam is it good practice to use more than 1 salt ?
|
How I see is, if you have one salt regardless, and the hacker has only access to your db, it wouldn't matter if they change the hash they can delete everything lol...daily backups ftw, and again salt could be positioned in anyway you could have it added to your hash using substr, you could hash it into your md5 at any position, in any form backwords, half of the hash you could even flip the hash and include it twice. It doesn't matter they won't have your password :). So if they have pw to your db then yah you could be screwed, they can delete everything thats about it, and waste there time not cracking there passwords lol...Most crackers or script kiddies are only worried about yah I defaced your website, they don't care about anything else. Have you read on ha.ckers.org? Nice blog some good articles.
__________________
PHP/XHTML Freelancer:
Cleanscript.com v3 - Programming starting at just $5 act now!
|
|
|
|