Stack Overflow
Stack Overflow

Questions tagged [password-storage]

Password storage is often a tricky issue - where do you keep it so that it is well protected? This tag deals with problems relating to the management of user credentials in a system.

Password storage is often a tricky issue - where do you keep it so that it is well protected? This tag deals with problems relating to the management of user credentials in a system. Typically, this would involve some sort of encryption or manipulation of permissions so that not everyone can see the password of a given user.

83 questions
6
votes
3 answers

PHP Password storage with HMAC+nonce - Is nonce randomness important?

A few years I asked here on stackoverflow about how to make PHP password storage safe. The main answer suggests using the following hashing algorithm: function hash_password($password, $nonce) { global $site_key; return hash_hmac('sha512',…
luiscubal
  • 23,581
  • 8
  • 51
  • 82
5
votes
2 answers

Re-hashing a hashed password

Assumed knowledge Hashing, Salting, PBKDF[1-2] Problem I am storing passwords in my database using a scaled hashing/salting algorithm like PBKDF2. I thought 'Hey, if i hash my passwords 20000 times, that should be secure enough against brute force…
David Colwell
  • 2,342
  • 16
  • 30
5
votes
2 answers

Is it an good idea of Using password itself as an salt

I have read in many articles that we should combine an unique salt to each passwords before hashing and store the salt in database for verification but How about using the password itself as an salt ? Doing this will benefit as the salt will be…
Shubanker
  • 2,415
  • 16
  • 23
4
votes
7 answers

Is there a safe way to send a user their password in clear text via email?

If I understand correctly, the biggest problem with sending a password via email is that it requires the password to be stored in clear text in the database. If the DB is compromised, the attackers will gain access to all accounts. Is there a…
sbichenko
  • 11,613
  • 7
  • 43
  • 81
4
votes
1 answer

KeyStorage .Net equivalent for Java?

I'm looking for an equivalent to the KeyStorage .Net (http://keystorage.codeplex.com/) library for Java. The library allows password management on different OS, using the respective native mechanisms to do so. I.e. DPAPI on Windows, Keychain…
Carsten
  • 3,914
  • 4
  • 28
  • 47
3
votes
5 answers

Do banks store passwords as plain text?

I've seen some websites, particularly banking sites, that ask you to enter this (for example). Sometimes they ask for this to prove my identity over the phone. The 2nd character of your password The 5th character of your password The 6th character…
Connell
  • 12,845
  • 9
  • 53
  • 84
3
votes
2 answers

One time salts and server password comparison

I've read that one of the more secure ways to authenticate a user is to use one time salts when hashing the password. What I don't get is: If the client generates a new salt every session, won't the resulting salt+password hash be different every…
Gorkamorka
  • 428
  • 1
  • 9
  • 21
3
votes
2 answers

Secure website password storage

I've seen a number of posts about using salts and hashes to create secure versions of passwords that can be stored in a database. However, one question is puzzling me and I can't see a problem so I thought I'd post the question here and see if…
Earl Tubthumper
  • 33
  • 2
3
votes
4 answers

Safely store credentials between website visits

I'm building a website which allows users to create accounts and access the site's content. I don't want users to log in each time they visit the site, so I'm planning on storing the username and password in a cookie -- however, I've heard this is…
Juliet
  • 76,873
  • 44
  • 191
  • 224
3
votes
3 answers

MySQL Check if username and password matches in Database

I have a form which has a textbox with the name attribute username and another one with the name attribute password. I also have a database with columns called user and pass. When my users signed up it added the username to the user column and…
Will Evans
  • 207
  • 2
  • 10
  • 20
3
votes
4 answers

How to store a password without a database (PHP)?

I would like to have a page that requires a password to login, but without a dataabase. I was thinking of having it hard coded in the page, ie: $password = "something" Or encrypt it and store it in a text file? Any advice is appreciated.
sqram
  • 6,509
  • 8
  • 44
  • 61
3
votes
4 answers

Encryption of passwords on disk for open source desktop applications

Is it possible to store passwords on the local system (Windows XP) that can only be accessed by the application itself? My instinctive answer would be "no". Even if some kind of hashing or encyption is used I would think that as long as the source…
Wayne Koorts
  • 10,142
  • 10
  • 45
  • 72
3
votes
3 answers

Why not use MD5 for password hashing?

I have a friend which is a white hat hacker. He says that md5 is not really that bad and actually is really secure, just if we use it properly. I believe that he is right. As I know, there is 3 ways to break hashes: Using Rainbow tables (Which can…
Masoud
  • 43
  • 1
  • 1
  • 6
2
votes
1 answer

Storing bcrypt hashes

According to PHP's doc, bcrypt salt are made of "$2a$", a two digit cost parameter, "$", and 22 digits from the alphabet "./0-9A-Za-z" So, if i use the crypt() function to hash my passwords, the resulting output include the first 7 chars…
geezmo
  • 151
  • 2
  • 12
2
votes
0 answers

Has the default password requirements in PHP ever changed, such that password_needs_rehash() would return true for default options?

I have recommended to a client that their login system implements password_needs_rehash, so that as their version of PHP is upgraded, the user accounts within their web app will have the password automatically rehashed and re-saved. My reason for…
halfer
  • 18,701
  • 13
  • 79
  • 158
1
2
3 4 5 6