S
S
sdevalex2011-10-22 19:35:38
Hashing
sdevalex, 2011-10-22 19:35:38

Password hash, unique salt?

Is there an article on the topic of creating good hashes? Where to store unique salt?

Answer the question

In order to leave comments, you need to log in

3 answer(s)
A
Anton_from_Amber, 2011-10-22
@Anton_from_Amber

The other day a translated article was published. Just about the use of salt.
If you are paranoid, then it is better not to store salt, but to calculate it based on relatively available data. Take, for example, the SKU of the user's first purchase, add the amount of the item, add a common constant salt, and wrap it all in MD5. If there were no purchases, then the first product viewed (think for yourself). If you have data on money stored in another database, it will turn out quite stable.
You can generate a salt and a new hash based on the latest entry in the microblog or the login of the attached manager. fantasize.
The main thing is to limit the ability of an attacker to access this data when the system is partially compromised. For example, he has a table with logins and a hash, he has access to the site content, but he could not get the billing database. Or there is no access to the file system, and you are stuck on the avatar settings. It will be more difficult.

I
iStyx, 2011-10-22
@iStyx

The first thing that came to mind:
hashed_password = sha1(md5(password)+password)

H
HarpyWar, 2011-10-24
@HarpyWar

I will quote comrade varnar:
чтобы перебор не помог нало использовать bcrypt и солить его SHA-512 в несколько итераций, чтобы генерирование нужного хеша занимало, ну, например полсекунды.
Пароли надо ШИФРОВАТЬ а не хешировать, хэширование рассчитано на быстрое вычисление хэша, а нам как раз этого и не надо.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question