0

Possible Duplicate:
PHP 2-way encryption: I need to store passwords that can be retrieved

Lately I'm a little confused reading several tutorials on storing passwords in databases. Most sites say that the best is using a hash and a salt to store the passwords or also store the passwords in two parts or add a general key for all passwords.

I saw several methods with crypt, sha, sha256, md5 and blowfish.

My question is, using crypt function with blowfish is safe or there are better/safer and more effective methods for storing passwords?

Community
  • 1
  • 1
Cainã
  • 875
  • 2
  • 13
  • 20
  • The safe way is to not store the password at all. Just store a hash, using a slow hash algorithm like whirlpool, as you have mentioned. Is there a particular reason you need to store an actual password? – Brad Nov 05 '12 at 22:23
  • 4
    cant be more than a few thousand threads on this here at S.O –  Nov 05 '12 at 22:24
  • Nothing is safe, but a longish random salt stored in the DB together with the hash, not the password, and using crypt should be fine. – adeneo Nov 05 '12 at 22:24
  • 1
    Also, keep in mind that everyone on here is a security nut (in a good way). If you are running a small web site, you don't need to use enterprise level security. A simple hash + salt should be more than enough. – thatidiotguy Nov 05 '12 at 22:24
  • 1
    But if eventually my site become a big site I wouldn't be able to change security type because all user hashes would be already stored. Because of this I'd like to begin development with a good hashing algorithm. – Cainã Nov 05 '12 at 22:27
  • building your 'cat blog' (no insult to cat blogs intended) site as if it was a bank, because it may be one day, is not a great idea. –  Nov 05 '12 at 22:29
  • @Dagon: However, the risk with exposing passwords is not just a threat to one's own application - users often use the same passwords across multiple security domains, so having their credentials compromised leads to bad people accessing things that actually matter. Sure, you can say that's the user's fault for reusing the same credentials, but that argument won't save your reputation. – eggyal Nov 05 '12 at 22:32
  • If I wanted just a blog I'd probably use Wordpress or Blogger instead. What I mean is that I want to begin with something reasonable in security question. – Cainã Nov 05 '12 at 22:33
  • @RedCurley: Have a read through [The definitive guide to forms based website authentication](http://stackoverflow.com/a/477578). – eggyal Nov 05 '12 at 22:35
  • there are ver large books on the subject, pick any one of the related questions on the right, any option is probably going to be just fine. –  Nov 05 '12 at 22:36
  • See also [this answer to "How can I store my users' passwords safely?"](http://stackoverflow.com/questions/1581610/how-can-i-store-my-users-passwords-safely/1581919#1581919) – feeela Nov 05 '12 at 22:46

1 Answers1

2

Well, apart from the obvious, not storing, hashing etc... I'd say don't use the regular {MD5, SHA1, SHA256, SHA512, SHA-3, etc} if you can, even if you can salt them. Reasons for this can be found at:

http://codahale.com/how-to-safely-store-a-password

Simply put: use bcrypt

You might want to read up on this topic on

Password hashing, salt and storage of hashed values
http://dustwell.com/how-to-handle-passwords-bcrypt.html
https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet

Community
  • 1
  • 1
ktolis
  • 437
  • 1
  • 3
  • 14