Page 1 of 1
username/password encryption help.
Posted: Sun Jul 24, 2011 1:35 pm
by phazorRise
i've written code to store username and passwords in database. Usernames are stored as it is in string format. And passwords are hashed with a randomely generated integer of variable length.
Is this a good method to encrypt password from possible threat of rainbow tables and brute force attack ? Well i used sha1 for hashing the passwords.
Re: username/password encryption help.
Posted: Mon Jul 25, 2011 10:43 am
by social_experiment
phazorRise wrote:Well i used sha1 for hashing the passwords.
phazorRise wrote:And passwords are hashed with a randomely generated integer of variable length.
Is this a good method to encrypt password from possible threat of rainbow tables and brute force attack ?
It is a good idea to use a salt (and even a pepper). It's a better idea to have the hash that you store to be updated after each login with a new salt. The security section contains a few discussions about this specific topic
Re: username/password encryption help.
Posted: Mon Jul 25, 2011 12:17 pm
by phazorRise
It's a better idea to have the hash that you store to be updated after each login with a new salt
Umm, i didn't get that.
This is what i'm doing right now -
Code: Select all
$data['key']=md5(rand(1000,99999));
$data['pass']=sha1($data['key'].$data['pass']);
So here, salt is md5($data['key']). What's the way you suggesting ?

Re: username/password encryption help.
Posted: Tue Jul 26, 2011 5:30 am
by social_experiment
phazorRise wrote:What's the way you suggesting ?
Assume the hash for a password is 1234 and the salt is 5678. If i log in with the correct details, a new salt is generated (0123) and after that, the new hash for the password will be 3456, so if my password hash was known (the 1234 hash), it is now changed, along with the salt. If this is already your method then you are on a better path.
Lastly, you should only use md5 for...nothing.
is+md5+broken%3F
Re: username/password encryption help.
Posted: Wed Jul 27, 2011 12:13 pm
by phazorRise
yes, that would be better.
well i'm using md5 just to create hash out of some random number. I guess that's alright to use it here. (

)
Re: username/password encryption help.
Posted: Sat Jul 30, 2011 10:35 am
by social_experiment
phazorRise wrote:I guess that's alright to use it here.
Comes down to personal choice probably, if you are aware of the risks and you still use it then only you can be held responsible for any issues arising from the matter.
Re: username/password encryption help.
Posted: Sat Jul 30, 2011 4:08 pm
by phazorRise
well, after your previous post i did something like -
Code: Select all
$data['key']=str_rot13(sha1(rand(1000,99999)));
$data['pass']=hash(sha256,$data['key'].$data['pass']);
and also changing the salt after each login.
I'm aware of what might cause if i use just md5. So did i changed the code a bit. At first i was planning to use timestamp as salt but then i thought it'd be better if i use random number hash and as you suggested to be changed on each login will be safer.
Another thing i'm worried about is Cookies and sessions. They both needed to be handled carefully. Still finding the way.

Edit : I guess, we can't do anythingelse apart from deciding where to store them and applying hashes.
Re: username/password encryption help.
Posted: Mon Aug 01, 2011 3:16 am
by social_experiment
Yes the problem wasn't with the method for creating the random token but rather with the hash used.
phazorRise wrote:Another thing i'm worried about is Cookies and sessions. They both needed to be handled carefully. Still finding the way.
Edit : I guess, we can't do anythingelse apart from deciding where to store them and applying hashes.
Cookies are the more difficult option of the two to secure and use securely; unless you use https but still the cookie can be viewed and possible even modified. Imo the easiest part of this chain to strengthen is where the checking is done to see if the cookie / session is indeed a valid one.
Re: username/password encryption help.
Posted: Mon Aug 08, 2011 2:20 am
by Mordred
Read the article in my sig, see if it answers something for you, ask again if there are more questions.
Re: username/password encryption help.
Posted: Tue Aug 16, 2011 2:51 pm
by phazorRise
Read the article in my sig, see if it answers
something for you, ask again if there are more
questions.
Thanks for link.
That's a wonderful post. Cleared most of doubts. I was not using pepper in my code so now i've added a strong pepper and i put it into separate file.
Thanks again.