Add salt to user passwords
User passwords are stored as
SHA1(password) which makes them vulnerable to a dictionary attack from an attacker who gets access to the database.
The change consists of generating a salt for each user and storing
SHA1(salt+SHA1(password)) in the database.
Updated by Rick I almost 13 years ago
Rick I wrote:
So now if attacker gets hold of the database all he has to do is to remove leading salt (since salt is stored in DB) and proceed with the dictionary attack. I don't see how this makes password any more secure...
I take it all back. I didn't see salt+password_hash is hashed again.. my bad :F