Re: Is this secure
- From: Gef.Mongoose@xxxxxxxxx
- Date: 11 May 2006 03:22:05 -0700
Ray Booysen wrote:
Gef.Mongoose@xxxxxxxxx wrote:
What would be considered a secure way to store passwords?Hi Gef
Paul
I use SHA1 to hash my passwords. When a user is created on my site, his
password prefixed with a randomly generated salt and hashed with SHA1.
Both the hashed password and salt are stored in the database.
When the user logs in, his password is sent to the SQL server in plain
text through a stored proc and the stored procedure returns whether it
is correct or not, the salt and hash never leave the database once there.
If the user changes their password a new salt is generated and stored
again in the database.
Hope this helps.
Regards
Ray
Hi Ray,
Thats a big help. I've just rewritten the password section to use sha1
+ salt. As stated in a previous post, I currently store a users role
and ID in a session var. But another poster stated this is a security
risk as the role might be changed within the session. A solution is to
just store the user ID and use it to check the role in the db each page
load. Does this sound like a safe way of doing this? I'm just concerned
about the DB getting hit each page load first for role check and then
to pull out the needed data.
Paul
.
- Follow-Ups:
- Re: Is this secure
- From: Ray Booysen
- Re: Is this secure
- References:
- Is this secure
- From: Gef . Mongoose
- Re: Is this secure
- From: Gef . Mongoose
- Re: Is this secure
- From: Ray Booysen
- Is this secure
- Prev by Date: RE: Row Command Firing twice in GridView Control
- Next by Date: Re: Switching to Design Mode in VS2005
- Previous by thread: Re: Is this secure
- Next by thread: Re: Is this secure
- Index(es):
Relevant Pages
|
Loading
