security - How do I implement salt into my login for passwords? -


I want to apply a salt to my login system, but it is a bit confusing how it should work. I can not understand the logic behind this I understand that MD5 is a single algorithm and all functions that I have found are all looking for hash together. If this is the case, how do I get my password back for comparison? My biggest question is how safe is it to secure a user's password through password? If a database was ever compromised, then there is a hash with salt in the database. Is not it that a hacker is needed?

I have found another post here, where another developer said:

"Make sure your salts and algorithms are stored different from databases < / Strong>

I would like to store salt in the database. Is this really a problem if I do?

I'm doing some help in understanding this I know how it works and also what best practice can be. Any help is greatly appreciated. It is.

EDIT: I want to thank everyone for your responses and thoughts, although I can now be more confused, it definitely will be a learning experience for me Thanks again people.

A hash function always returns the same value for the same input string Let's assume that my user (Alice) has the password hidden hashing th Using to the following hash 

  5ebe2294ecd0e0f08eab7690d2a6ee69

dictionary (a list of common words and passwords) or in different services The one who provides this service to you, the attacker can easily find that the secret word is secret when it sees in its dictionary that 5ebe2294ecd0e0f08eab7690d2a6ee69 = secret

The process of salt before the hushing makes it difficult to use the dictionary attack without knowing your salt, consider the following:

The resulting hash is now b58ad809eece17322de5024d79299f8a , but Alice's password is still secret . Now if Malory gets her hand on the salted hash, then it is likely that she will not get the answer in her dictionary. If he does this, he will be given a wrong answer.

Never store stable salt in your database preferably store it with the configuration of your application (the way the web should not be available).

If you are going to use a dynamic salt, you will need to use the database to make your salt use a non-empty column of existing valid data (secret encryption key The bluffish-encrypted string of the user name is usually cryptographically protected). Do not use a separate column for salt If you can not use an existing column, then add your salt to your hash in the same column. For example, use the first 32 letters for your 128-bit salt and then use the last 40 for your 160-bit hash. The following functions will generate such a hash: 

  function cined_sha1 ($ string, $ seed_beat) {if (($ seed_beat% 8)! = 0) {new exception throw ('bits Should be 8 'divisible by); } $ Salt = ''; ($ I = 0; $ i & lt; $ seed_bits; $ i + = 8) {$ salt = Pack ('c', mt_rand ()); } $ Hexsalt = unpack ('h * hex', $ salt); $ Hexal ['hex'] Return Sha1 ($ salt. $ String); } Function comparison_seeded_sha1 ($ plain, $ hash) {$ sha1 = substr ($ hash, -40); $ Salt = pack ('h *', substr ($ hash, 0, -40)); $ Plain_hash = sha1 ($ salt. $ Plain); Return ($ plain_hash == $ sha1); }

If an attacker comes into your database using SQL injection, then at least those who receive it will not be useful because it will not be able to access your application configuration. . If your server gets rooted, then this is a lot of games-no matter what you do.

Note: Other types of attacks are possible, so you use a more secure hashing algorithm, for example. Or, better than this, use it, which is designed with security in mind and is compatible with any PHP version on the back. 

  is required ('PasswordHash.php'); $ PwdHasher = New Password Lost (8, FALSE); // $ hash that you will store in your database $ hash = $ pwdHasher-> HashPassword ($ password); // $ hash $ $ check = $ pwdHasher- & gt; $ Hash will be stored in your database for the checkpassword ($ password, $ hash); If ($ check) {echo 'password correct'; } And {echo 'wrong credentials'; }

Comments

Post a Comment

Popular posts from this blog

sql - dynamically varied number of conditions in the 'where' statement using LINQ -

I am using my first project LINQ (in mvc), so maybe there's something very simple that I remember. However, a day of searching and experimenting does not work, so it works. I am trying to write a LINQ query (Linux to SQL) in which in many cases where the statement is different from an OR or an AND. We do not know how many conditions are going in the query till runtime. This search is for filter control, where the user can choose multiple criteria for filtering. Select from table where table.col = 1 or table.col = 2 or table.col = 7 .... 'Other number of conditions Before I just create the SQL query as a string, while looping over all the situations. However, it seems that there should be a good way to do this in LINQ. I tried to use Expression trees, but they had a second thought for this moment on my head, where the lambda function was to be executed inside the statement such as: values ​​for matchingRows = matchingRows for each value Where (function (row) row.c...
Read more

asp.net mvc - Dynamically Generated Ajax.BeginForm -

I have a problem with ASP.NET MVC Ajax forms. I generate many Ajax form in a table such as: & Lt; Input type = "submit" name = "activity" value = "add activity" / & gt; & Lt;%}% & gt; & Lt; / TD & gt; & Lt; / TR & gt; & Lt;%}% & gt; So far so good. When I post one of those forms, it gives a partial view in a div, and in this new partial view a new Ajax Beginnform (which is not in Genesis form) This second Ajax Beginnorf is exactly like the ones I got on the table, but when I post it, I do not get the "Ajax Post", but a normal post that sends me to a new page, I do not know whether the two Ajax forms What is the reason for the difference between, why is it the "dynamically generated" Ajax form behaves like a normal HTML form? By the way, I know that I can do it in different ways using javascript, but I would like to understand whether it can only be done using MVC helplars and Ajax lib...
Read more

Debug on symbian -

I am using trk for phone debug This works well for the Holorld project But when I start the project in phone debug mode 1) the load failed 2) TrkProtocolPlugin: to target the specified file Failure (please verify If any body understands what problem I am experiencing, then this problem helps me Pre-release If the application has the privileges assigned (with the appropriate certificate) itemprop = "text" > In your case, I will check: / li> If there is no conflict of application ID with any other application of device If there are problematic commands in the installation package (for example copy copy for non-accessible directories)
Read more