[OWASP_PHPSEC] Second Library - Password Management

rahul chaudhary rahul300chaudhary400 at gmail.com
Wed May 29 05:10:06 UTC 2013


so can we do this??

first user enters their passwords  in plaintext. their passwords gets
simply hashed and reaches the server. We encrypt those hashes with a secret
key of our own and store that encrypted string in DB (These strings as you
pointed out, needs to be stored with extra security). Then we create a
random salt and store this salt in DB......Then finally we hash the store
encrypted string and the random salt and produce a final hash value stored
in our DB...


PRO: If in case hashes gets stolen, they would anyways be encrypted with
our secret key and so we can now do two things --- change the encryption
key or change the encryption mechanism....so the user password will still
be the same, but the underlying mechanism whole depends on the encryption
key......As a side effect...it saves us from rainbow cracks also.

CONS: It surely will take time because encryption can be bulky
sometimes....but this is not much of a problem.


and for now we can just use SHA-512.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp_php_security_project/attachments/20130529/73d159b4/attachment.html>


More information about the OWASP_PHP_Security_Project mailing list