whichever way you look at it, it comes out easier just to have the separate field. It's not that much work to add a field to a database table and it reduces sooo many headaches later on.
On 6/11/2008, at 1:05 PM, Chris Hope wrote: > > That's right - you'd have to ask them for their password if they > updated those details. However, it would mean an administrator could > never change those fields, otherwise the password would become > invalidated because the salt would now be different. > > > 2008/11/6 Aaron Cooper <[EMAIL PROTECTED]>: >> >> Obviously update the entire hash on whichever action applies to the >> salt >> too. >> >> Assuming ofcourse that you ask the user to enter their original >> password >> whenever they perform such and action. (pretty common when changing >> email >> addresses) >> >> A little more work tho. >> >> >> ----- Original Message ----- >> From: "Chris Hope" <[EMAIL PROTECTED]> >> To: <[email protected]> >> Sent: Thursday, November 06, 2008 12:51 PM >> Subject: [phpug] Re: Hash sailting best practise >> >> >>> >>>> Philip> Just randomly generate a string. >>>> >>>> Or use the username or email itself as the salt. So you won't >>>> have to >>>> store the salt. This is secure enough. >>> >>> But what happens if they change their username or email address? >>> >>> -- >>> Chris Hope >>> The Electric Toolbox Ltd >>> >>> Email: [EMAIL PROTECTED] >>> Web: www.electrictoolbox.com >>> Phone: +64 9 522 9531 >>> Mobile: +64 21 866 529 >>> >>>> >> >> >>> >> > > > > -- > Chris Hope > The Electric Toolbox Ltd > > Email: [EMAIL PROTECTED] > Web: www.electrictoolbox.com > Phone: +64 9 522 9531 > Mobile: +64 21 866 529 > > > --~--~---------~--~----~------------~-------~--~----~ NZ PHP Users Group: http://groups.google.com/group/nzphpug To post, send email to [email protected] To unsubscribe, send email to [EMAIL PROTECTED] -~----------~----~----~----~------~----~------~--~---
