PDA

View Full Version : salt, what is it?


ap0c
08-10-2003, 02:32 AM
In the vb3user field, what does salt char(3) represent? :confused:

MaDCaT75
08-10-2003, 02:49 AM
pepper?

Link14716
08-10-2003, 03:08 AM
Salt is NaCl...

Whoops, wrong salt? Salt is a few screwed up characters that are used for the password hash to make it more secure. I think it's something like

md5(md5($password) + md5($salt))

Erwin
08-10-2003, 08:01 AM
It's an additional level of encryption that makes it virtually impossible to reverse an md5 encrypted password.

N9ne
08-10-2003, 01:19 PM
I believe there's even more to it than that, I think they mix in the userid too?

ap0c
08-10-2003, 01:29 PM
ok, thanks

Link14716
08-10-2003, 10:12 PM
Today at 10:19 AM N9ne said this in Post #5 (https://vborg.vbsupport.ru/showthread.php?postid=424848#post424848)
I believe there's even more to it than that, I think they mix in the userid too?


Actually, I was slightly wrong.

if ($bbuserinfo['password'] != md5(md5($password) . $bbuserinfo['salt']) AND $bbuserinfo['password'] != md5($md5password . $bbuserinfo['salt']))

Close enough, but the salt is only md5's once while the password is md5'd by itself and then again with the salt. :)

N9ne
08-10-2003, 11:41 PM
Hmm in functions_newpost.php or something I saw some weird line of a loada md5'ing going on including some other stuff :confused:

Looks like they really kept security in mind when making vB3 :eek:

pie
08-10-2003, 11:53 PM
maybe the md5 thing there was for the login on making new posts?

NTLDR
08-10-2003, 11:55 PM
Its the posthash I expect, which is used for attachments amongst other things I suspect.

ap0c
08-11-2003, 01:26 AM
not entirely on the subject, but is there an easy query to add a vb3phrase instead of using the phrase manager?
I dont like that thing.

Link14716
08-11-2003, 02:26 AM
Even if you use phpMyAdmin or a query, you'd still have to edit a phrase using the phrase manager to update its cache.

Freddie Bingham
08-11-2003, 04:19 AM
The md5() stuff in functions_newpost.php is just used to make sure you don't double post. It is more robust than using the old query that would compare the post text, title, etc against entries in the database.