Basically, what I'm asking is if salting a password by appending a hashed version of it to the end of it is just as secure as salting with a different string. So:
Is this:
$pass = "pass";
$salt = sha1(md5($pass));
$pass = md5($pass.$salt);
As secure as this?
$pass = "pass";
$salt = "4D9ds*^dkrUI45^#dkd*3fD8&!dlvd*";
$pass = md5($pass.$salt);
分享 The first example is as secure as hashing without using any salt at all, because it still just requires the password and nothing more to crack. In other words, you are just applying the hashing functions to the same thing a few times more.
A better bet is still to create a salt for each user and store it alongside, separately. A fixed salt for everyone is alright, I guess, because you cannot use the password to determine the salt. However, generating a unique salt for each user is even better because then it would take more information than just the password to crack it (e.g. username, date registered, or some other info).
分享
