If you have an existing unsalted userbase, #1 is probably the best bet. You can salt the passwords one at a time, as and when the user logs in next. With the global option, how do you know which passwords are salted and which are not? (obviously not an issue for a new project)
To salt an existing password... eg User logs in. Check to see if password is salted - if it's not (the salt field is empty) then... Randomly create a salt, add it on to $_POST['password'] and re-hash. Save salt and new hashed password to database. When salting passwords, you might want to re-test the user profile page, change password page, and forgot password page (if you have them) which are likely to break. Hope that helps, Harvey. Aaron Cooper wrote: > 1. Add another field to the user table for storing the salt (in plain > text) that was generated randomly upon registration. (or use another > peice of user info, like registration date) --~--~---------~--~----~------------~-------~--~----~ NZ PHP Users Group: http://groups.google.com/group/nzphpug To post, send email to [email protected] To unsubscribe, send email to [EMAIL PROTECTED] -~----------~----~----~----~------~----~------~--~---
