I agree that the salt should be different for each password. Dilberts spot on in that fact.
While we're sharing our schemas, the one that I'm currently a fan of is first i append a random salt to the password so we have <salt><password> string. From there I do a quick encryption of the string (Rijndael, static key / IV) and then hash it (SHA256).
The overhead isn't to bad at all, but I have not tested it with say....10000 simultaneous logins or anything.
__________________
There is no such thing as "Bug Free" software....there is only software with an acceptable (and documented) level of failure.
Hack the Planet!!!!
|