username/password encryption help.
Moderator: General Moderators
- phazorRise
- Forum Contributor
- Posts: 134
- Joined: Mon Dec 27, 2010 7:58 am
username/password encryption help.
i've written code to store username and passwords in database. Usernames are stored as it is in string format. And passwords are hashed with a randomely generated integer of variable length.
Is this a good method to encrypt password from possible threat of rainbow tables and brute force attack ? Well i used sha1 for hashing the passwords.
Is this a good method to encrypt password from possible threat of rainbow tables and brute force attack ? Well i used sha1 for hashing the passwords.
- social_experiment
- DevNet Master
- Posts: 2793
- Joined: Sun Feb 15, 2009 11:08 am
- Location: .za
Re: username/password encryption help.
phazorRise wrote:Well i used sha1 for hashing the passwords.
It is a good idea to use a salt (and even a pepper). It's a better idea to have the hash that you store to be updated after each login with a new salt. The security section contains a few discussions about this specific topicphazorRise wrote:And passwords are hashed with a randomely generated integer of variable length.
Is this a good method to encrypt password from possible threat of rainbow tables and brute force attack ?
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
- phazorRise
- Forum Contributor
- Posts: 134
- Joined: Mon Dec 27, 2010 7:58 am
Re: username/password encryption help.
Umm, i didn't get that.It's a better idea to have the hash that you store to be updated after each login with a new salt
This is what i'm doing right now -
Code: Select all
$data['key']=md5(rand(1000,99999));
$data['pass']=sha1($data['key'].$data['pass']);
- social_experiment
- DevNet Master
- Posts: 2793
- Joined: Sun Feb 15, 2009 11:08 am
- Location: .za
Re: username/password encryption help.
Assume the hash for a password is 1234 and the salt is 5678. If i log in with the correct details, a new salt is generated (0123) and after that, the new hash for the password will be 3456, so if my password hash was known (the 1234 hash), it is now changed, along with the salt. If this is already your method then you are on a better path.phazorRise wrote:What's the way you suggesting ?
Lastly, you should only use md5 for...nothing.
is+md5+broken%3F
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
- phazorRise
- Forum Contributor
- Posts: 134
- Joined: Mon Dec 27, 2010 7:58 am
Re: username/password encryption help.
yes, that would be better.
well i'm using md5 just to create hash out of some random number. I guess that's alright to use it here. (
)
well i'm using md5 just to create hash out of some random number. I guess that's alright to use it here. (
- social_experiment
- DevNet Master
- Posts: 2793
- Joined: Sun Feb 15, 2009 11:08 am
- Location: .za
Re: username/password encryption help.
Comes down to personal choice probably, if you are aware of the risks and you still use it then only you can be held responsible for any issues arising from the matter.phazorRise wrote:I guess that's alright to use it here.
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
- phazorRise
- Forum Contributor
- Posts: 134
- Joined: Mon Dec 27, 2010 7:58 am
Re: username/password encryption help.
well, after your previous post i did something like -
and also changing the salt after each login.
I'm aware of what might cause if i use just md5. So did i changed the code a bit. At first i was planning to use timestamp as salt but then i thought it'd be better if i use random number hash and as you suggested to be changed on each login will be safer.
Another thing i'm worried about is Cookies and sessions. They both needed to be handled carefully. Still finding the way.
Edit : I guess, we can't do anythingelse apart from deciding where to store them and applying hashes.
Code: Select all
$data['key']=str_rot13(sha1(rand(1000,99999)));
$data['pass']=hash(sha256,$data['key'].$data['pass']);
I'm aware of what might cause if i use just md5. So did i changed the code a bit. At first i was planning to use timestamp as salt but then i thought it'd be better if i use random number hash and as you suggested to be changed on each login will be safer.
Another thing i'm worried about is Cookies and sessions. They both needed to be handled carefully. Still finding the way.
Edit : I guess, we can't do anythingelse apart from deciding where to store them and applying hashes.
- social_experiment
- DevNet Master
- Posts: 2793
- Joined: Sun Feb 15, 2009 11:08 am
- Location: .za
Re: username/password encryption help.
Yes the problem wasn't with the method for creating the random token but rather with the hash used.
Cookies are the more difficult option of the two to secure and use securely; unless you use https but still the cookie can be viewed and possible even modified. Imo the easiest part of this chain to strengthen is where the checking is done to see if the cookie / session is indeed a valid one.phazorRise wrote:Another thing i'm worried about is Cookies and sessions. They both needed to be handled carefully. Still finding the way.
Edit : I guess, we can't do anythingelse apart from deciding where to store them and applying hashes.
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
Re: username/password encryption help.
Read the article in my sig, see if it answers something for you, ask again if there are more questions.
- phazorRise
- Forum Contributor
- Posts: 134
- Joined: Mon Dec 27, 2010 7:58 am
Re: username/password encryption help.
Thanks for link.Read the article in my sig, see if it answers
something for you, ask again if there are more
questions.
That's a wonderful post. Cleared most of doubts. I was not using pepper in my code so now i've added a strong pepper and i put it into separate file.
Thanks again.