Salted passwords?

bigodines · #1 (**permalink**) 01-09-2008, 02:11 PM

How can I authenticate salted passwords with Zend_Auth_Adapter_DbTable ?

SpotSec · #2 (**permalink**) 01-13-2008, 02:31 AM

Generally you would salt the pw before handing it over to Zend_Auth to validate.

shadowdani · #3 (**permalink**) 02-05-2008, 08:19 PM

I don't know if you still need it but I use this method:

PHP Code:


			
$adapter->setCredentialTreatment('your salting method')

You can set it also when you create the instance of Zend_Auth_Adapter_DbTable, its the 5th parameter:

PHP Code:


			
new Zend_Auth_Adapter_DbTable($db, 

    'your db table name', 

    'your user column name', 

    'your credential column name', 

    'your salting method')

To salt the password you could use

PHP Code:


			
MD5(CONCAT(?,'yoursalt'))

as argument in the method

notrub225 · #4 (**permalink**) 02-12-2008, 04:00 PM

What is 'salting a password'?

Does that mean saving the password as an encrypted string?

Salz` · #5 (**permalink**) 02-13-2008, 08:52 AM

if you just do md5($passwort) someone who get an dump of your Database is maybe able to search at md5.rednoize.com - reverse engineer md5 hashes for it. For Example, there is an user with the passwort md5 098f6bcd4621d373cade4e832627b4f6 now search at md5.renoize.com for it: Search 098f6bcd4621d373cade4e832627b4f6

No the "owner" of your dump is able to login with the original passwort.

if you salt your passwort, for example with the login name (bad idea), the md5 for Salz`test looks like this: 99a5e84373b3bac5aeeaca03669556ed (md5.rednoize can lookup, cause i use it to generate the checksum)
This makes more difficult to get the passwort.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode