Coding Critique is the place to post source code for peer review by other members of DevNetwork. Any kind of code can be posted. Code posted does not have to be limited to PHP. All members are invited to contribute constructive criticism with the goal of improving the code. Posted code should include some background information about it and what areas you specifically would like help with.
Popular code excerpts may be moved to "Code Snippets" by the moderators.
Here is a script to generate a 'random' SALT based on the username which means you don't have to store anything in your database as an additional salt.
Counts the number of Vowels in the username and then uses this to change the bit of the SALT that the username uses.
Not too system taxing, looking for ways to make it even more 'random' but still based on the username and password input.
I've got a very secure authentication mechanism which uses the length of the password in conjunction with the actual password to generate the salt. It's impossible to create the salt without knowing the length of the password. If your interested let me know.
Jonah Bron wrote:@Benjamin: again, why not just MD5 the username? But I would be interested in seeing your code.
Because weak passwords can easily be discovered using rainbow tables when it's just a plain MD5 hash or if the salt is known. I'll post it in a new thread shortly.
True, but then wouldn't creating a salt based on the length of the password be security through obscur... ohhhh, I see: because the password isn't know. Gotcha. I would really like to see the code now.