Re: [PHP] password hashing and crypt()

2008-01-22 Thread Robert Cummings
On Wed, 2008-01-23 at 00:40 -0500, Nathan Nobbe wrote: > alright, so you guys have responded and im really appreciative. > you have me thinking now.. > so what are the real issues here? > >1. portability >2. security (obviously) > > im wondering now if crypt() is really even so practical

Re: [PHP] password hashing and crypt()

2008-01-22 Thread Nathan Nobbe
alright, so you guys have responded and im really appreciative. you have me thinking now.. so what are the real issues here? 1. portability 2. security (obviously) im wondering now if crypt() is really even so practical. especially considering the deal where only 2 characters are prepended

Re: [PHP] password hashing and crypt()

2008-01-22 Thread Chris
Richard Lynch wrote: On Tue, January 22, 2008 7:43 pm, Chris wrote: Richard Lynch wrote: On Sat, January 19, 2008 8:24 pm, Eric Butera wrote: I always make sure that I use a site specific salt which is just appended on the user supplied value. I started doing that when I read that people had

Re: [PHP] password hashing and crypt()

2008-01-22 Thread Richard Lynch
On Tue, January 22, 2008 7:43 pm, Chris wrote: > Richard Lynch wrote: >> On Sat, January 19, 2008 8:24 pm, Eric Butera wrote: >>> I always make sure that I use a site specific salt which is just >>> appended on the user supplied value. I started doing that when I >>> read >>> that people had cre

Re: [PHP] password hashing and crypt()

2008-01-22 Thread Chris
Richard Lynch wrote: On Sat, January 19, 2008 8:24 pm, Eric Butera wrote: I always make sure that I use a site specific salt which is just appended on the user supplied value. I started doing that when I read that people had created huge databases of hashed values that they can just search on.

Re: [PHP] password hashing and crypt()

2008-01-22 Thread Richard Lynch
On Sat, January 19, 2008 8:24 pm, Eric Butera wrote: > I always make sure that I use a site specific salt which is just > appended on the user supplied value. I started doing that when I read > that people had created huge databases of hashed values that they can > just search on. At least this w

Re: [PHP] password hashing and crypt()

2008-01-22 Thread Richard Lynch
On Sat, January 19, 2008 2:11 pm, Nathan Nobbe wrote: > http://www.php.net/manual/en/function.crypt.php > has a second parameter, $salt, which, if not supplied will be > automatically > generated and presumably become a prefix or suffix of the returned > string. Or, in some algorithms, gets buried

Re: [PHP] password hashing and crypt()

2008-01-21 Thread Chris
Nathan Nobbe wrote: hi all, recently ive been debating a bit about the use of the crypt() function and the best practice thereof, im hoping you can help to clarify this for me. so, the crypt function http://www.php.net/manual/en/function.crypt.php has a second parameter, $salt, which, if not su

Re: [PHP] password hashing and crypt()

2008-01-21 Thread Robert Cummings
On Mon, 2008-01-21 at 14:37 -0500, Mike Potter wrote: > > You should have said "yes" and quit while you thought you were ahead. I'm not trying to get "ahead"... I didn't know I was competing. Are we competing? I thought I was just answering posts. > > that was me saying that there is certainly a

Re: [PHP] password hashing and crypt()

2008-01-21 Thread Mike Potter
My apologies Robert, Gmail sucks. I'm bouncing this back to the list, where it belonged in the first place. Feel free to make corrections if I've mischaracterized what you wrote. Good luck with that, btw, but don't expect me to engage. Robert Cummings wrote: >>> And THAT does remind me of my MUD

Re: [PHP] password hashing and crypt()

2008-01-20 Thread Robert Cummings
On Sat, 2008-01-19 at 23:17 -0500, Nathan Nobbe wrote: > thanks for the great responses guys. > i guess what im really getting at though is, if crypt() will embed > a salt in the value it returns automatically, is there any benefit to > creating a salt to pass to the second argument and storing tha

Re: [PHP] password hashing and crypt()

2008-01-19 Thread Nathan Nobbe
thanks for the great responses guys. i guess what im really getting at though is, if crypt() will embed a salt in the value it returns automatically, is there any benefit to creating a salt to pass to the second argument and storing that as well? conceivably, passwords already have a salt using the

RE: [PHP] password hashing and crypt()

2008-01-19 Thread Andrés Robinet
> -Original Message- > From: Eric Butera [mailto:[EMAIL PROTECTED] > Sent: Sunday, January 20, 2008 12:24 AM > To: Jochem Maas > Cc: Nathan Nobbe; PHP General List > Subject: Re: [PHP] password hashing and crypt() > > On Jan 19, 2008 8:02 PM, Jochem Maas &

Re: [PHP] password hashing and crypt()

2008-01-19 Thread Eric Butera
On Jan 19, 2008 8:02 PM, Jochem Maas <[EMAIL PROTECTED]> wrote: > Nathan Nobbe schreef: > > hi all, > > > > recently ive been debating a bit about the use of the crypt() function and > > the best practice thereof, im hoping you can help to clarify this for me. > > > > so, the crypt function > > htt

Re: [PHP] password hashing and crypt()

2008-01-19 Thread Jochem Maas
Nathan Nobbe schreef: hi all, recently ive been debating a bit about the use of the crypt() function and the best practice thereof, im hoping you can help to clarify this for me. so, the crypt function http://www.php.net/manual/en/function.crypt.php has a second parameter, $salt, which, if not

[PHP] password hashing and crypt()

2008-01-19 Thread Nathan Nobbe
hi all, recently ive been debating a bit about the use of the crypt() function and the best practice thereof, im hoping you can help to clarify this for me. so, the crypt function http://www.php.net/manual/en/function.crypt.php has a second parameter, $salt, which, if not supplied will be automat