Revision as of 09:49, 7 November 2006 by Stephendv
I use a very similar scheme in my applications, but 2 points that came to mind whilst reading.
- Iterations of at least 1000 times seemed a bit excessive, but it is in the standard and I'm in no way qualified to critise.
- Instead of storing salt in it's own field I usually include it amongst the password (i.e characters 2, 4, 7, 13, 17, 19) to make it that bit harder to even find the salt value. I generally hex encode the hashes as well to make them a bit easier to work with. Assuming decompiled code is available (as an attacker has gained access to the password hashes) this extra salt hiding may not serve any useless purpose.