Login

05-12-2009, 01:06 AM

[eluser]internut[/eluser]
Should I just avoid the library as it does not seem to support salt? I WANT salt encryption.

Most PHP installs all have sha1 encryption these days?

If I have a random salt in a record i guess I need to do two lookups?

Grab first the user/id record to get the salt then check incoming post pass with salt and determine a match?

05-12-2009, 01:53 AM

[eluser]Dam1an[/eluser]
You still only need to do one lookup
1. Get the user row based on id, email or password (or other unique field)
2. Salt and hash the post password using SHA1 and the users salt
3. Compare result with the password in the user row you fetched earlier

05-12-2009, 08:53 AM

[eluser]internut[/eluser]
Righto I read ya. What about the encrypt lib... I do not see any salt functions within it. Any suggestions on the salt? 4 random chars? More?

05-12-2009, 09:00 AM

[eluser]Dam1an[/eluser]
With all of mine, I use the random string (unique) which gives me a 32 bit salt for each user
I then hash the users password with SHA1, concatenate this to the salt and hash again

Should be secure enough Smile

05-12-2009, 11:56 AM

[eluser]internut[/eluser]
Wow that is very secure I would imagine... I just went the route of the 32 unique / random then salted it... Wonder if I should do it how you are.

Actually your way I could sha1 it to keep it in a users cookie so the remember me pre-filled password is not plain text then run it against the salt after it comes in.

hmmm......