store password

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
abalfazl
Forum Commoner
Posts: 71
Joined: Mon Sep 05, 2005 10:05 pm

store password

Post by abalfazl »

Hello!


Can you avoid storing the secret?
If you use an alternative implementation technique, it could remove the need to
store secrets. For example, if all you need to do is verify that a user knows a
password, you do not need to store passwords. Store one-way password hashes
instead.
Also, if you use Windows authentication, you avoid storing connection strings
with embedded credentials.
What is "one-way password hashes"? Which "alternative implementation techniques" Do you suggest for store password?



Do You Store Secrets?
Secrets include application configuration data, such as account passwords and
encryption keys. If possible, identify alternate design approaches that remove any
reason to store secrets. If you handle secrets, let the platform handle them so that the
burden is lifted from your application wherever possible.

May someone explain more about this:" If you handle secrets, let the platform handle them so that the
burden is lifted from your application wherever possible"
User avatar
andyhoneycutt
Forum Contributor
Posts: 468
Joined: Wed Aug 27, 2008 10:02 am
Location: Idaho Falls

Re: store password

Post by andyhoneycutt »

a one-way password hash is a good way to make sure you can't give away secrets even if you wanted to. For instance, let's say my password is "cheese". If I one-way encrypt this with say, md5, and store it that way I lose access to whatever that password really is. Then, in the future if I want to check to see if I've typed my password correctly I'll md5 my input and compare it to the stored md5 password.

Two-way encryption allows you to decode the secret in question. I prefer to use one-way encryption because it takes (nearly) all responsibility off me as a developer/dba.

-Andy
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: store password

Post by Mordred »

"one-way" means the function output cannot be directly reversed to recover the input. Other attacks are quite possible. My research shows that about 50% percent of unsalted passwords are trivially recoverable, and 80% are recoverable within 24 hours.

Details on the possible attacks and counter-measures are here:
viewtopic.php?t=62782
Post Reply