Jump to content

nameless1

Members
  • Posts

    4
  • Joined

  • Last visited

nameless1's Achievements

Newbie

Newbie (1/7)

0

Reputation

  1. Thanks for the info guys :DI've been searching and reading for the last 2 days about PHP password Cryptographic hashing.The most common and secure functions I came across were sha256/512 , bcrypt , HMAC , PBKDF2(Password-Based Key Derivation Function) and PHPass.From what I've been reading speed is an enemy (http://codahale.com/how-to-safely-store-a-password/)So I've been looking for the "slowest" secure hashing algorithm which I found is bcrypt and PHPass (http://www.openwall.com/phpass/).Now I can't make up my mind which one to use. :confused:What do you guys think? Which one should I go with and why?Just to make sure:1. bcrypt = crypt_blowfish right ?2. bcrypt and PHPass are both hash + salt functions ? I mean I don't have to add salt, they already have the salt function built-in.Thanks in advance!
  2. Thanks guys for the HELPFUL info!
  3. Thanks a lot! But wouldn't it be more secure if I stored the $salt in include.php or some other file rather than in the database ? If an attacker gets all the info from the database, then he also has every unique salt.On the other hand how will the login script know which salt to get from the list, if they're all in a single file. Any ideas ?
  4. Hy 2 all,I have some questions about password security that I haven't been able to find an answer yet. Hopefully you guys know.Here it goes:1. Is it better to hash(sha2) the password and then salt it or salt it and than hash it ?2. I'm guessing that using a random salt is better than the same salt used for every password.3. How can you generate a different random salt for each password ? I mean how will the login page know which random salt to mix with the hashed user inserted password and then to compare it with the password stored in the db. (an example would be great(for both: generating and authentication)4. I saw some codes in which the salt and/or hash and/or password was split into two (ex: hash.salt1a.password.salt1b or password1a.salt.password1b or salt.hash1a.password.hash1b etc.) Is this a good idea ? Is it really more secure ? If so which would be more secure (splitting the password, the hash or the salt) ?5. Is double hashing (ex: (sha1(md5($password))) any good ?6. I've been reading something about password salt and pepper ?? What exactly is pepper ? Is it some sort of second salt ?If somebody could enlighten me about these questions, that would be great.Thanks in advance!
×
×
  • Create New...