Yes, I agree with Harvey on this one. This is approach I've successfully used in the past to migrate an existing userbase. (+1 to this approach)
On 6/11/2008, at 11:40 AM, Harvey Kane wrote: > > If you have an existing unsalted userbase, #1 is probably the best > bet. > You can salt the passwords one at a time, as and when the user logs in > next. With the global option, how do you know which passwords are > salted > and which are not? (obviously not an issue for a new project) > > To salt an existing password... > eg > User logs in. > Check to see if password is salted - if it's not (the salt field is > empty) then... > Randomly create a salt, add it on to $_POST['password'] and re-hash. > Save salt and new hashed password to database. > > When salting passwords, you might want to re-test the user profile > page, > change password page, and forgot password page (if you have them) > which > are likely to break. > > Hope that helps, > > Harvey. > > > Aaron Cooper wrote: >> 1. Add another field to the user table for storing the salt (in plain >> text) that was generated randomly upon registration. (or use another >> peice of user info, like registration date) > > > --~--~---------~--~----~------------~-------~--~----~ NZ PHP Users Group: http://groups.google.com/group/nzphpug To post, send email to [email protected] To unsubscribe, send email to [EMAIL PROTECTED] -~----------~----~----~----~------~----~------~--~---
