Obviously update the entire hash on whichever action applies to the salt too.
Assuming ofcourse that you ask the user to enter their original password whenever they perform such and action. (pretty common when changing email addresses) A little more work tho. ----- Original Message ----- From: "Chris Hope" <[EMAIL PROTECTED]> To: <[email protected]> Sent: Thursday, November 06, 2008 12:51 PM Subject: [phpug] Re: Hash sailting best practise > >> Philip> Just randomly generate a string. >> >> Or use the username or email itself as the salt. So you won't have to >> store the salt. This is secure enough. > > But what happens if they change their username or email address? > > -- > Chris Hope > The Electric Toolbox Ltd > > Email: [EMAIL PROTECTED] > Web: www.electrictoolbox.com > Phone: +64 9 522 9531 > Mobile: +64 21 866 529 > > > --~--~---------~--~----~------------~-------~--~----~ NZ PHP Users Group: http://groups.google.com/group/nzphpug To post, send email to [email protected] To unsubscribe, send email to [EMAIL PROTECTED] -~----------~----~----~----~------~----~------~--~---
