开发者

What is better hashed or encrypted passwords?

问答 作者:

What开发者_如何学Python is best for storing passwords? Should I be Encrypting or hashing password for you users table ?

What do you prefer, and why? Could you please provide an example of secure password storage.

Considering passwords generally don't have to be checked / hashed / whatever that often (they are when one is logging in, and registrering ; but that's pretty much it), speed is generaly not much of a concern : what matters is security.

What's generally done is :

  • when a user registers, he types his (new) password)
  • that password is salted + hashed, and the result is stored in database
  • Then, when a user wants to log-in, he types his password
  • What is typed is salted + hashed, and compared to the value stored in the database.

The main key is : never store the real password in the DB -- only a hash of it ; and salt it before hand, to avoid attacks by rainbow-tables.

And it seems this is already what you're doing -- so good point for you ;-)


Which hashing function should be used ? Well, sha1 is often considered as OK ; md5 is less OK now ; sha512 should be more than OK, I guess.

I'd do this usually:

<?php

function createHash($pwd, $salt = ''){
  $hash = '';
  if(!$salt){
    $salt = hash('sha256',mt_rand().time().$pwd.'2130A');
  }
  if($pwd[0] & 0){
    if($pwd[strlen($pwd)-1] & 1){
      $hash = hash('sha256', $pwd.$salt).$salt;
    }else{
      $hash = $salt.hash('sha256', $pwd.$salt);
    }
  }else{
    if($pwd[strlen($pwd)-1] & 1){
      $hash = $salt.hash('sha256',$salt.$pwd);
    }else{
      $hash = hash('sha256', $salt.$pwd).$salt;
    }
  }
  return $hash;
}

function getSalt($pwdHash){
  if($pwd[0] & 0){
    if($pwd[strlen($pwd)-1] & 1){
      $salt = substr($pwdHash,64);
    }else{
      $salt = substr($pwdHash,0,64);
    }
  }else{
    if($pwd[strlen($pwd)-1] & 1){
      $salt = substr($pwdHash,0,64);
    }else{
      $salt = substr($pwdHash,64);
    }
  }
  return $salt;
}

var_dump(createHash('testPassword',getSalt($pwdHashFromDb)) == $pwdHashFromDb); // true
  • Salting provides higher security than a usual hash.
  • The salt position depends on the entered password, and thus this makes the salt less vulnerable to be captured.
  • Raw password is never known or stored
  • balance between security and speed (for websites).

Hashing rather than encrypting passwords can help protect you against insider threats. Since the hash is a one-way process, for the most part users' stored, hashed passwords should not be decipherable. Rather, you can only run newly-inputted password attempts through the same has to see if the result is the same.

If you store encrypted passwords I would think that would imply that they could also be decrypted, which might be problematic if you have an untrustworthy insider.

This might be a good answer to the interview question, "How can you stop your DBA from making off with a list of your users’ passwords?"

I have posted a question here https://stackoverflow.com/questions/10308694/what-is-the-right-method-for-encoding-hashed-passwords-for-storage-in-ravendb with some sample code. Though the question itself might prove to be boneheaded, perhaps the code sample can be useful to you, if the c# code is intelligible.

继续阅读:hashpasswordsphpsecurity

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9