Forum Moderators: coopster
I'm playing around with some php user authentication scripts and came across a number of sites saying that in order to help protect your database from a potential dictionary attack you should add a random string of characters to the password.
Sounds great :)
but I am unsure what to do with the salt once I have got it. I know the theory - I need to concatenate my user's password and the salt before checking authentication - but wouldn't that require me storing the salt in plain text in the database? and wouldn't that negate the reason for using it in the first place? or I have I got it totally wrong (again)?
Any pointers?
I don't find it a huge problem as the server would need to be compromised to grab it and at that point losing my salt would be the least of my worries.
it is an acceptable risk.
But perhaps not everything did.....
If the salt is saved somewhere else, then the bad guys need both the salt and the password file. So you may still be fairly safe if they have only one or the other.
One way would be to use the first and last couple of letters of the user name as salt plus the date they joined. The salt then would, in effect, be code in the logon CGI script. If your cgi-bin has not been compromised, and you haven't told people of your salt algorithm, then the salt remains secret.
The salt is an added safety check that buys you a little bit more safety. It alone cannot keep everything totally secure.
for certain things I have used salts. Normally they actually lived in a file somewhere, outside of the web root with specific permissions.
How exactly would i go about this so my script can access a config file below the root directory
TIA
you just put it above the root and then you can use include to have your script access it.
