Hi,
Weird. I've fixed it, after some poking of the function. It now base64-decodes the password once, and only once.
Well... is that a complete fix? Looks to me like there is still the *small* chance of a) the decoded SSHA1 value containing only bytes which are allowed in base64 b) the salt being so long that it grows the whole decoded string to more than 4/3 of the min_length c) the salt having exclusively bytes which are allowed in base64; possibly ending in = sign(s) If all these are met, a second decoding would be done, and be successful - except the user wouldn't be able to log in because the new decoded content would not match his password any more. I guess I can live with that small chance, but... clean is something else. How about if you owe me a beer if that unlikely situation becomes true :-) Stefan -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473