Is this password storage method secure?
I was just thinking if creating a password hash by using a salt created from the password himself is safe to use. Here an example in php:
<?php
$pass = $_GET['pass'];
$salt = hash('whirlpool', $pass);
$pass = md5(hash('whirlpool', $salt.$pass));
echo $pass;
?>
Does this make sense ?
Regar开发者_StackOverflow社区ds.
The point of a salt is to make everyone's password unique. So in this case just hashing their password and adding it as a salt would still make 2 user's final hashed password equal when the same original password is given. Better to give each user a random salt and store that right beside their password in the db.
It's no necessary to hash and re hash and re re hash the password.
Use a salt with a good hashcode algorithm is a good thing, but you need to force yours users to send a strongly password with a minimum of size and with alphanumeric characters
notes:
- Using sha1 is better than md5.
- Using a good salt (thanks @John Bartholomew)
- Force yours users to create a strongly password
I do it like this
<?php
$my_key = "myapp";
$temp_pwd = htmlentities(trim($_POST['password']));
$hashed = sha1($my_key.$temp_pwd);
save $hashed in database on signup
and with every login attemp merge the input password value with your key and make a hash of it and than compare with database password value
?>
You can protect both your password and your salt.
Use SHA256 or higher (2012) and in years to come it must be higher.
Use a different salt for every user.
Use a calculated salt.
Create a 16 to 32 byte Salt and store it in the database, called 'DBSalt'.
Create any old algorithm to manipulate the salt but keep the algorithm only in code. Even something as simple as DBSalt + 1 is useful because if someone gets your database, they don't actually have the correct salt because the correct salt is calculated.
Calculate your password as follows:
CreateHash(saltAlgorithm(dbSalt), password);
You can add security by having a list of algorithms that manipulate the DBSalt in different ways. Every time a user changes their password you also use a different calculation against the DBSalt
You can add more security by having these algorithms be stored on web servers external to your system so if your DB and code both get hacked, they still don't have your salt.
- You can also increase security by having a before, and after, or both salt and the database alone doesn't provide this information.
There is no end to the "You can increase security by..." comments. Just remember, every time you add security, you add complexity, cost, etc...
How to effectively salt a password stored as a hash in a database
精彩评论