[OWASP_PHPSEC] Second Library - Password Management

rahul chaudhary rahul300chaudhary400 at gmail.com
Wed May 29 05:13:25 UTC 2013


And does everyone agree on the fact that for these operations, its probably
best that we create a separate "crypto library" that deals with
encryption/decryption/key mgt/ salting/ and hashes...


On Wed, May 29, 2013 at 1:10 AM, rahul chaudhary <
rahul300chaudhary400 at gmail.com> wrote:

> so can we do this??
>
> first user enters their passwords  in plaintext. their passwords gets
> simply hashed and reaches the server. We encrypt those hashes with a secret
> key of our own and store that encrypted string in DB (These strings as you
> pointed out, needs to be stored with extra security). Then we create a
> random salt and store this salt in DB......Then finally we hash the store
> encrypted string and the random salt and produce a final hash value stored
> in our DB...
>
>
> PRO: If in case hashes gets stolen, they would anyways be encrypted with
> our secret key and so we can now do two things --- change the encryption
> key or change the encryption mechanism....so the user password will still
> be the same, but the underlying mechanism whole depends on the encryption
> key......As a side effect...it saves us from rainbow cracks also.
>
> CONS: It surely will take time because encryption can be bulky
> sometimes....but this is not much of a problem.
>
>
> and for now we can just use SHA-512.
>



-- 
Regards,
Rahul Chaudhary
Ph - 412-519-9634
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp_php_security_project/attachments/20130529/369aee93/attachment.html>


More information about the OWASP_PHP_Security_Project mailing list