Hi everyone and thanks for reading.
Up until yesterday I was unaware of this technique, and have always just ran a user's password through md5 and stored the result to the database. From what I've been reading about SALT it sounds like a very cool way of making your passwords practically uncrackable, but I have a question or two.
$pass = mysql_real_escape_string($_POST['password']); $salt = 'a7dHsgQs0eiPsksd'; $password = md5($salt . $pass); $sql = mysql_query("INSERT INTO table (password) VALUES ('$password')";
I understand what this code is doing and that after running it, my 'salted' password will be stored to the database, but when I'm checking a user's login attempt, will the code not be something like this?
$salt = 'a7dHsgQs0eiPsksd'; $pass = mysql_real_escape_string($_POST['password']); $password = md5($salt . $pass); $sql = mysql_query("SELECT * FROM table WHERE 'password' = '$password' LIMIT 1";
So even though you've salted the password, the cracker can still type a common word in the text box, and have a chance of cracking the user's account, because I'm salting whatever they put? Or is SALT more of a security precaution for if ever your database got leaked and the crackers tried to reverse engineer the salted password?
Thanks for any clarification,