|CMS Made Simple Forums
|[closed] Per-backend-user password salting
|Page 1 of 1|
|Author:||tomphantoo [ Tue Sep 20, 2011 8:35 am ]|
|Post subject:||[closed] Per-backend-user password salting|
It's good that password salting is coming for backend users.
I have 1.10-beta1, and there at least, the process uses the same salt (or none) for everyone. AFAIK, it's more secure to use per-person salting, even when someone malicious can access the tabled password data, hence the individual salts. Can't run all the users against a single dictionary (or whatever).
I've modded mine to append a random 8-byte salt to each user's 32-byte md5 hash. The space is already there in the database field. Takes only about a dozen extra lines of code total, for password creation and validation (the latter handling hash-only or hash+salt, according to what's stored).
Worth doing generally?
|Author:||Rolf [ Fri Sep 23, 2011 4:19 pm ]|
|Post subject:||Re: Per-backend-user password salting|
Thanks for helping us out testing
Worth doing generally?Not at this moment...
|Page 1 of 1||All times are UTC|
|Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group