A
A
Alex Efros2014-04-24 23:19:46
Passwords
Alex Efros, 2014-04-24 23:19:46

What is the safest way to store user passwords in a database (hashing, bcrypt, salt, pepper)?

Correct me if I'm wrong, but as far as I understand, if pepper is not used, then by far the optimal solution is bcrypt($password)(random salt, cost=10). This will only use the first 72 characters of the password, which is acceptable. Possible variations - scrypt($password)if it is likely that they will break seriously on special hardware, or sha256($password . $salt)if there is a danger that using bcrypt can lead to a DoS attack on your service due to the lack of adequate protection against password brute force.
But with pepper, everything is not so clear. It should be large enough that simply adding it to the password will greatly reduce the number of password characters used. To avoid this, you need to use a combination of bcrypt and HMAC, and here there are options, the difference between which from the point of view of cryptography is not clear to me:

bcrypt(hmac_sha256($pepper, $password))
hmac_sha256($pepper, bcrypt($password))
Which of these options is better?
One more question - they often use it as an example, hmac_sha256($password, $pepper)but it seems to me that it is more logical to pass pepper as the first parameter (as a key): hmac_sha256($pepper, $password)Is there any difference between these options in terms of cryptography?
PS Yes, hmac_sha256() is meant to return the result in base64 - otherwise there may be problems due to the null byte in some bcrypt implementations.

Answer the question

In order to leave comments, you need to log in

1 answer(s)
A
Alex Efros, 2014-04-25
@powerman

Apparently, instead of HMAC, it is more correct to use encryption with any standard algorithm using IV: encrypt_aes_cbc($pepper, bcrypt($password))There are several reasons:

  • Ability to replace $pepper at any time (periodically, or after a leak).
  • Using a MAC for this purpose is a misuse - it's meant for a different purpose than encryption, which is exactly where it belongs.
  • Consistent hashing with different algorithms without cryptanalysis can weaken security; in addition, this is an invention of its own crypto-algorithm, which is best avoided.
But if possible, it is much safer not to use encryption and $pepper, but instead to prevent users from using passwords that are too simple (after all, if hackers find SQLi, then often they can get to reading files, which means they can find out $pepper) .
As for my second question, passing $pepper as the last parameter that confused me was caused by the fact that the examples used PHP syntax, and there the key is passed last.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question