FAQ

On Saturday 07 May 2011 04:06:47 Brandon McCaig wrote:
On Fri, May 6, 2011 at 8:50 AM, Jeff Pang wrote:
No. there is no such thing called decryption if you want to protect
your passwords strictly. Agreed.
Generally we crypt the user's password with md5 or similar and
store them to a database. When user input their username and
password from the web from to login, we re-encrypt the
password and compare it to the database.
Basically, yes. You use some kind of one-way hashing function
(i.e., something that can't practically be reversed) and store
the result of that. Later when the user enters their password you
hash what they entered and compare it to the stored hash. Often
you also generate a user-specific "salt", which you combine with
the password in some standard way prior to hashing so that the
same passwords will appear different in the database for
different users (for a slight bit of extra security).
The encryption function could be md5:
AFAIK, MD5 is no longer considered secure so you should probably
use something better for optimal results. I'm not sure what you
should use, but I'm sure if you ask the Web you will find plenty
of advice.

From Wikipedia[1]:
US-CERT of the U. S. Department of Homeland Security said MD5
"should be considered cryptographically broken and unsuitable
for further use," and most U.S. government applications now
require the SHA-2 family of hash functions.
[1] http://en.wikipedia.org/wiki/MD5
For best results, one should also use a salted hash:

http://search.cpan.org/dist/Crypt-SaltedHash/

There's also a new concept called "stretching" which aims to be even better
than that. I should note that you should be very careful when writinig
cryptography/cryptology code, because it may end up being very insecure if
you're doing something wrong. Maybe try getting an expert opinion on some
channels on http://freenode.net/ such as ##crypto or ##security so they can
verify your algorithmic code is sane. Most people here, including me, are not
crypto and security experts.

Regards,

Shlomi Fish

--
-----------------------------------------------------------------
Shlomi Fish http://www.shlomifish.org/
Interview with Ben Collins-Sussman - http://shlom.in/sussman

<rindolf> I am not solvable. I am Turing hard.

Please reply to list if it's a mailing list post - http://shlom.in/reply .

Search Discussions

Discussion Posts

Previous

Related Discussions

Discussion Navigation
viewthread | post
posts ‹ prev | 6 of 6 | next ›
Discussion Overview
groupbeginners @
categoriesperl
postedMay 6, '11 at 12:38p
activeMay 7, '11 at 6:03a
posts6
users5
websiteperl.org

People

Translate

site design / logo © 2021 Grokbase