[DEV] New Usersystem

Whoever the other develop is must be pretty bad. The whole point of a salt is to render the password useless if your database is compromised. If you use something secure like SHA256 (not MD5) with a salt, the password would practically be impossible to crack. If your salt is known, it makes it easier.

Quote:

---

Originally Posted by MattFr

Whoever the other develop is must be pretty bad. The whole point of a salt is to render the password useless if your database is compromised. If you use something secure like SHA256 (not MD5) with a salt, the password would practically be impossible to crack. If your salt is known, it makes it easier.

---

Thats why ive not added salt yet, and if i do i would never add it into the database

Don't store the ******* salt in the ******* database. Just don't. Doesn't matter if vB does it. Just generate the salt in the php code and keep it there. Like I said before, if your database gets hacked, at least the hacker doesn't have access to the salt. It's much easier to get access to a database than it is to get access to your hosting account/panel.

might release the code soon for everyone to go over, because it looks like i might be starting again with another developer to make it better :P

To be honest you should just salt your password in the filesystem before inserting it into the database.
Something I just had a quick think about, what about salting the username and password with the string length of the username?

Simple salting method

PHP Code:

---

// grab length of username
$usernameLen = strlen($username);

// concatonate username, password and username length then sha1 them.
$passwordSalt = sha1($username . $password . $usernameLen); 


---

The algorithm is the same but no salt is effectively stored in the database, meaning nobody would know your algorithm without knowing your filesystem. The beauty of this is that the salt will differ depending on the length of the username.

Quote:

---

Originally Posted by Irrorate

To be honest you should just salt your password in the filesystem before inserting it into the database.
Something I just had a quick think about, what about salting the username and password with the string length of the username?

Simple salting method

PHP Code:

---

// grab length of username
$usernameLen = strlen($username);

// concatonate username, password and username length then sha1 them.
$passwordSalt = sha1($username . $password . $usernameLen); 


---

The algorithm is the same but no salt is effectively stored in the database, meaning nobody would know your algorithm without knowing your filesystem. The beauty of this is that the salt will differ depending on the length of the username.

---

Abit of extra security, sure, but then whenever you change a user's username you'd also be forced to update their password as well.

Quote:

---

Originally Posted by HotelUser

Abit of extra security, sure, but then whenever you change a user's username you'd also be forced to update their password as well.

---

Yes indeed, I was just giving an example of a simple salting method that works better than storing the salt in the database :P

It isn't ideal to use salt characters that can change, of course, but using a salt that doesn't require storing is much preferred :P

Your names *REMOVED*? No way?

Edited by Nicola (Forum Super Moderator): Please do not post private information without consent of the other forum member.

Quote:

---

Originally Posted by BoyBetterKnow

Your names *REMOVED*? No way?

---

eh, yes :P how you find that out? im guessing i put it in the usersystem somewhere them :P

Why?

EDIT: Found it, one of the screenshots :P

*Removed* admins . super mod w/e had a go at me, its in the screenie ye :D

Edited by Recursion (Forum Moderator): Please do not be rude to other forum members, staff included. Thanks.