Whoever the other develop is must be pretty bad. The whole point of a salt is to render the password useless if your database is compromised. If you use something secure like SHA256 (not MD5) with a salt, the password would practically be impossible to crack. If your salt is known, it makes it easier.
Results 21 to 30 of 35
Thread: [DEV] New Usersystem
-
we're smiling but we're close to tears, even after all these years
-
Thats why ive not added salt yet, and if i do i would never add it into the database
Originally Posted by MattFr
-
Don't store the ******* salt in the ******* database. Just don't. Doesn't matter if vB does it. Just generate the salt in the php code and keep it there. Like I said before, if your database gets hacked, at least the hacker doesn't have access to the salt. It's much easier to get access to a database than it is to get access to your hosting account/panel.
-
might release the code soon for everyone to go over, because it looks like i might be starting again with another developer to make it better
-
To be honest you should just salt your password in the filesystem before inserting it into the database.
Something I just had a quick think about, what about salting the username and password with the string length of the username?
Simple salting method
The algorithm is the same but no salt is effectively stored in the database, meaning nobody would know your algorithm without knowing your filesystem. The beauty of this is that the salt will differ depending on the length of the username.PHP Code:// grab length of username
$usernameLen = strlen($username);
// concatonate username, password and username length then sha1 them.
$passwordSalt = sha1($username . $password . $usernameLen);
Last edited by Irrorate; 03-09-2010 at 01:06 AM.
-
03-09-2010, 02:17 AM #26
Abit of extra security, sure, but then whenever you change a user's username you'd also be forced to update their password as well. Originally Posted by Irrorate
I'm not crazy, ask my toaster.
-
Yes indeed, I was just giving an example of a simple salting method that works better than storing the salt in the database Originally Posted by HotelUser
It isn't ideal to use salt characters that can change, of course, but using a salt that doesn't require storing is much preferred
-
Your names *REMOVED*? No way?
Edited by Nicola (Forum Super Moderator): Please do not post private information without consent of the other forum member.Last edited by Nicola; 03-09-2010 at 08:15 PM.
-
eh, yes Originally Posted by BoyBetterKnow
how you find that out? im guessing i put it in the usersystem somewhere them
Why?
EDIT: Found it, one of the screenshots
Last edited by Nicola; 03-09-2010 at 08:16 PM.
-
*Removed* admins . super mod w/e had a go at me, its in the screenie ye
Edited by Recursion (Forum Moderator): Please do not be rude to other forum members, staff included. Thanks.Last edited by Recursion; 07-09-2010 at 03:32 PM.
Reply With Quote
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts