The DB has a plain copy of the password, yes? And it hashes this stored value with the received salt and compares it with the received hash. This is what I said (or meant to say) in the first place. Except I didn't mean to say "plain". Jon