in reply to Replacing crypt() for password login via a digest - looking for stronger alternative
In the comments of the article you refer to it says...
In a more real life scenario, $shash would likely be retrieved from the DB you use to maintain credentials.
When passwords are leaked, I have always assumed that someone has somehow maliciously extracted the data from the User (or equivalent) database table. From this they have got a list of email addresses and password hashes. But if the database table also has the salts in it, is it any more secure than just using a strong encryption algorithm without salting?
Personally I keep name and email address data in a different table to the user ID and encrypted passwords. That table exists in a different schema, albeit within the same RDBMS.
|
---|
Replies are listed 'Best First'. | |
---|---|
Re^2: Replacing crypt() for password login via a digest - looking for stronger alternative
by bliako (Monsignor) on Jun 18, 2021 at 07:30 UTC | |
by Bod (Parson) on Jun 19, 2021 at 16:47 UTC | |
by hippo (Bishop) on Jun 19, 2021 at 18:06 UTC | |
by bliako (Monsignor) on Jun 24, 2021 at 13:19 UTC |