[OWASP_PHPSEC] Second Library - Password Management
rahul300chaudhary400 at gmail.com
Wed May 29 05:10:06 UTC 2013
so can we do this??
first user enters their passwords in plaintext. their passwords gets
simply hashed and reaches the server. We encrypt those hashes with a secret
key of our own and store that encrypted string in DB (These strings as you
pointed out, needs to be stored with extra security). Then we create a
random salt and store this salt in DB......Then finally we hash the store
encrypted string and the random salt and produce a final hash value stored
in our DB...
PRO: If in case hashes gets stolen, they would anyways be encrypted with
our secret key and so we can now do two things --- change the encryption
key or change the encryption mechanism....so the user password will still
be the same, but the underlying mechanism whole depends on the encryption
key......As a side effect...it saves us from rainbow cracks also.
CONS: It surely will take time because encryption can be bulky
sometimes....but this is not much of a problem.
and for now we can just use SHA-512.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OWASP_PHP_Security_Project