Hello All,
I am not a expert in myBB and PHP, but i wanted to implement a login similar to myBB, i went thro the source code I found a field "Salt Key" in user table.
My Question is:
What is Salt Key ?
Why the Salt key is used ?
How it is used ?
Please some help me to understand...
thanks.
DrPoodle Wrote:Please read: http://community.mybboard.net/showthread.php?tid=5727
Hello DrPoodle,
Thanks for your reply.
I have gond through that, i have understood that the password is stored like
md5(md5("my password").md5("salt")).
password => User Supplied.
salt => Randomly generated at the time of Register
So my question is:
suppose if some one uses, packet sniffer to find out what is going to server from particular browser (XYZ User), then he can take the same password(in whatever form) and send the same from his machine to login as this particular user(XYZ user) ?
In other words, the same request if he sends from his machine with all post data, how it will be avoided ?
am i rite ? (May be wrong...)
If i am posting in a wrong forum, Please correct me.
If you have someone sniffing your packets you are screwed no matter what. The security of a salt is server side NOT client sided.
Yeah, the only solution to packet sniffing is to make sure the login and registration pages are SSL encrypted (https).
Hell All,
thanks for your comments.