Storing passwords in database

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
Rem
Forum Newbie
Posts: 3
Joined: Mon Jul 12, 2010 8:49 am

Storing passwords in database

Post by Rem »

Hello

I've just started looking into encryption for storing passwords in a mysql database and every article I read says something different. In the past I've just used md5() to encrypt the passwords and after some reading md5 is supposedly not very safe.

I've read up on using salts when encrypting. From my understanding salts are just used to prevent rainbow table attacks (correct me if I'm wrong). Now if someone is able to get a copy of my entire database to use a rainbow table attack on, wouldn't they easily be able to find out the salt I am using?

Below is what I am currently thinking of doing.

Code: Select all

$userjoindate = "1278929952"; //this is grabbed from the database
$pass = "abc";
$salt = "klsdfsjlk8kjwlew89huj" . $pass . $userjoindate;
$pass = $salt . hash("whirlpool",$salt); 
With what I stated above if someone is able to get a copy of my database, wouldn't they be able to get a copy of my .php script that shows how it is getting encrypted making the salt worthless?

Any help would be greatly appreciated thanks.
User avatar
timWebUK
Forum Contributor
Posts: 239
Joined: Thu Oct 29, 2009 6:48 am
Location: UK

Re: Storing passwords in database

Post by timWebUK »

Just because someone may get your database, doesn't mean they have file system access... unless you use the same password for both :roll:

You should have a dynamically created salt for each user stored in the database (every user has their own salt). This limits attacks to one account at a time.

Then you should also store a static salt in the filesystem/php file that never changes. That way an attacker would have to obtain access to your database AND your filesystem/FTP.

Without the static salt, time-wise, it is nearly impossible to crack the hash with bruteforce or rainbow.
User avatar
Apollo
Forum Regular
Posts: 794
Joined: Wed Apr 30, 2008 2:34 am

Re: Storing passwords in database

Post by Apollo »

Just for sake of correct terminology:
- A salt that is user-specific (and in your case it is, as it depends on $userjoindate) is typically called 'pepper', and is usually combined with a global 'salt' constant.
- Encryption is two-way, encrypted data can be decrypted back to the original. For storing passwords you typically use hashing, which just calculates a checksum from which the original data can never be obtained.

Biggest advantage of using pepper instead of (or rather, in addition to) salt, is that nobody will be able to tell if two users use the same password, and it limits a potential rainbow / bruteforce attack to one user entry at a time, instead of the entire userlist.

Regarding md5: it's is still reasonably safe if used wisely, but nonetheless there's really no reason to use anything weaker than sha512 or whirlpool.

Not sure what your code is supposed to demonstrate, but:
Rem wrote:$salt = "klsdfsjlk8kjwlew89huj" . $pass . $userjoindate;
$pass = $salt . hash("whirlpool",$salt);
if you store this resulting $pass string in your database, then you are storing the original password, raw salt (+pepper), AND the hash together, which is as unsafe as it gets :)

Just store hash("whirlpool",$salt) and you'll be safe. If someone ever gets access to your database, they won't be able to apply a rainbow table attack, and they certainly won't be able to find the salt you used.
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Storing passwords in database

Post by Mordred »

User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Storing passwords in database

Post by kaisellgren »

Rem wrote:From my understanding salts are just used to prevent rainbow table attacks (correct me if I'm wrong).
Yes they are mainly to prevent rainbow table attacks, but they do also make the hash of same passwords across users different.
Rem wrote:Now if someone is able to get a copy of my entire database to use a rainbow table attack on, wouldn't they easily be able to find out the salt I am using?
...
With what I stated above if someone is able to get a copy of my database, wouldn't they be able to get a copy of my .php script that shows how it is getting encrypted making the salt worthless?
It does not matter if they get your salt. Your salt can be public and revealed to everyone and it will not cause you any trouble.
Post Reply