06-25-2008, 09:47 PM
|
#1 (permalink)
|
|
The Contributor
Join Date: Apr 2008
Location: Nevada, USA
Posts: 52
Thanks: 10
|
Password salts
So I've been looking at how to crypt users passwords. Obviously MD5, but there are rainbow tables for that among other things. I also tried hashing stuff multiple times. Like this:
PHP Code:
function pass_crypt($str)
{
$sha1 = sha1($str);
$rot13 = str_rot13($sha1);
$md5 = md5($rot13);
return $md5;
}
But read in quite a few different places that this is bad. But now I looked into salting the passwords. I read about using something fairly unique for the salt for every user. Like using their username as the salt. Or email. But say I wanted to use a completely random 16 char salt for every user. How do I go about storing the random salt for later use. Like when they go to log in. If I put it in the database isn't that just defeating the purpose. Because now if some hacker has my database with the MD5's and the salts to go with it they have everything they need.
Or I guess the hacker would have to generate a new rainbow table for each password because their all different salts. Right?
__________________
|
|
|
Join the friendly bunch on IRC...
Threaded Mode
