> When I performed this same task a few months ago, I basically wrote a page > that did all the salting and updating as a loop. Obviously I had decided > on the actual process for login and tested it to make sure it worked. I > just increased the size of the password column, added a salt column and ran > all users through the salting processing page. I can find the code if you > are interested.
This would imply that you're storing the user's plaintext passwords which defeats the whole point of hashing them (e.g. you add the salt to the password before you run the hash alogrithm [e.g. hash(pw+salt) ]). The only way to add salt to the hash after the fact is if you have the plaintext passwords. This is why adding salt after accounts are established is hard, you have to wait for people to log in again to get the plaintext password to work with. If you just appended a salt value to the end of the hash value stored in the database (e.g. hash(pw)+salt) then it is not adding any additional security. -Justin ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:354821 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm
