Rough notes on a chatterbox discussion.
How about md5 crypts instead of password in the cookie? That would allow passwords > 8 chars (with a user table change).
md5 may be too CPU expensive; needs to be tested.
An md5 crypt certainly takes more time than a des crypt: one some machine the md5 crypt seems to take 5e-4 second, the des takes 1.3e-5 seconds.
(comments about $3$/NT-hash)
Instead of comparing hashed password in cookie to hash of clear password in database, store the hashed password in the database and the non-salt part of it in the cookie; authenticate cookies via string compare.
Later, unhashed password will be eliminated.
update user edit page to require the previous password in order to change the password
have a real "password reset e-mail" feature
A math joke: r = | |csc(θ)|+|sec(θ)|-||csc(θ)|-|sec(θ)|| |
Online Fortune Cookie Search