16
my points:
1- in a live website if i care about security i will install protector and then nobody can do a brute force to find the passwords. therefore we just have problems when the hacker use a non xoops method to access my database like server hacking or stole my laptop, ...
2- i want my users to be convenient and use a password with their own risk. they can use even 123. i will suggest and recommend them to use harder passwords but my website should be user-friendly and i dont want to lose a user by forcing him to use a hard password to protect my website.
3- using a salt password will guarantee my website security while my users have their own simple passwords.
4- salt password can be store in database and not in files.
5- salt password can be change randomly for each user. you can make it very hard and very very secure.
We can randomize the hashes by appending or prepending a random string, called a salt, to the password before hashing. As shown in the example above, this makes the same password hash into a completely different string every time. To check if a password is correct, we need the salt, so it is usually stored in the user account database along with the hash, or as part of the hash string itself.
http://crackstation.net/hashing-security.htm6- implementation of a salt password hash system in xoops core could be done with very less hack in the current system.
