How can I hash a password and store it for later verification with another digest?
I am using gsoap's wsseapi plugin and would like to store hashed 开发者_如何学Csha1 passwords rather than plain text. I have spent a ridiculous amount of time experimenting with various methods of hashing the plain text password for storage.
Can anyone suggest a way to hash a password so it can be later verified against a username token digest sent by the client?
I can't seem to get the client password to authenticate against my stored hash.
Don't roll your own crypto; use a scheme that's well known and accepted by the community, such as PBES2 (as specified by PKCS#5 v2.1). If you're in luck, you'll find a ready-made implementation of it (hint: OpenSSL probably does).
not storing plain-text passwords is good. picking a hash which was developed to be calculated very fast is .. not so clever. read more on "key-derivation" at http://www.tarsnap.com/scrypt.html. basically it slows down "calculation of the hashed password" A LOT, so that an attacker is slowed down in his attempts to use brute force.
Seems that the plain text password is required at both sides. This is so that on the server, the password stored is hashed using the nonce created at the client side and then the password hashes are compared.
I thought there may have been a way for the client to enter a normal alphanumeric password and for the server to retrieve a pre-stored hashed up version of the same password for comparison. Seems this isn't possible because of the nonce, timestamp etc
精彩评论