If this were commonly accepted and broken down statistically, surely as old as MD5 is, we would have a function by now along the lines of:
$password = 2x_md5($inputpw); I'm glad it works for you, but to me it just seems.... hackish? ----- Original Message ----- From: "Karl" <[EMAIL PROTECTED]> To: <[email protected]> Sent: Thursday, November 06, 2008 4:17 PM Subject: [phpug] Re: Hash salting best practise Depends on the salt I guess... I tried that 'tool' against the hashes stored in a site designed for a client, where we double-loop the password thru MD5 and it came back 100% "uncrackable"... and there is never a need to worry about salting anything. Just strikes me as 100% absurdly simple to do, and 100% impossible to break... never need to worry about who finds your code and tries to reverse things, etc. The whole 'salting' thing strikes me as a pointless storm in a teacup really. No overhead on the database, no extra tables to piss around with, no need to do anything more than: $password = md5(md5($inputpw)); .....and later on... if (md5(md5($inputpw)) == $dbpass) { .....accept... } else { .....reject... } If that doesn't beat all this salting hassle... I dunno what does! Just my zwei pfennig worth... Cheers... *********** REPLY SEPARATOR *********** On 6/11/2008 at 3:58 p.m. Harvey Kane wrote: >A far far better approach would be to implement salting, which makes >sites like this useless against your passwords. --- Karl Senior Account Manager www.KIWIreviews.co.nz ... Where Your Views Count Please consider the environment before printing this email. Supporting Palmerston North's Santa... see our Community Gold Project page: http://www.KIWIreviews.co.nz/santa - To be seen on TVNZ's 'Mucking In' show! --~--~---------~--~----~------------~-------~--~----~ NZ PHP Users Group: http://groups.google.com/group/nzphpug To post, send email to [email protected] To unsubscribe, send email to [EMAIL PROTECTED] -~----------~----~----~----~------~----~------~--~---
