Re: Is this secure


Ray Booysen wrote:
Gef.Mongoose@xxxxxxxxx wrote:
Ray Booysen wrote:
Gef.Mongoose@xxxxxxxxx wrote:
What would be considered a secure way to store passwords?

Paul

Hi Gef

I use SHA1 to hash my passwords. When a user is created on my site, his
password prefixed with a randomly generated salt and hashed with SHA1.
Both the hashed password and salt are stored in the database.

When the user logs in, his password is sent to the SQL server in plain
text through a stored proc and the stored procedure returns whether it
is correct or not, the salt and hash never leave the database once there.

If the user changes their password a new salt is generated and stored
again in the database.

Hope this helps.

Regards
Ray

Hi Ray,

I've created a class to create a random salt, use it with a password
to created a salted hash and then put it and the salt into the db.
I'm curious as to what stored proc you use to validate a login
password. When the user wishes to log in, they will supply their
password, but then i'd need the salt to create a saltedhash to compare
against the one in the database. Wouldn't this mean pulling the salt
for the uer out to create the saltedhash?

Paul

For the case of authenticating, the user name and password is passed to
the database. In the stored proc, the password is salted with the
stored salt and hashed. Then this hash is compared to the stored hashed
password. If they are the same, you can pass back true or 1 or whatever
you want.

Let me know if you need any other info! :)

Regards
Ray

Hi Ray,

Thanks for the answers :). I'm currently using MySQL server with this
project, and it doesn't contain any functionality for hashing etc (as
far as I am aware anyway). So this means I would have to create the
hash outside the DB. Would pulling the salt out to create the salted
hash when a user tries to log in create any huge security risk? (I
can't see another way of doing this with MySQL server - but i'm still
learning so i might have missed something).

Paul

.

Relevant Pages

  • Re: Is this secure
    ... I use SHA1 to hash my passwords. ... Both the hashed password and salt are stored in the database. ... but then i'd need the salt to create a saltedhash to compare ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Is this secure
    ... I use SHA1 to hash my passwords. ... Both the hashed password and salt are stored in the database. ... but then i'd need the salt to create a saltedhash to compare ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Is this secure
    ... What I do in my business layer I get the salt, then I use my custom classes ... to hash the passed in password then send the Hash to a Stored Proc to ... Both the hashed password and salt are stored in the database. ... but then i'd need the salt to create a saltedhash to ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Is this secure
    ... I use SHA1 to hash my passwords. ... Both the hashed password and salt are stored in the database. ... but then i'd need the salt to create a saltedhash to compare ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: Is this secure
    ... I use SHA1 to hash my passwords. ... Both the hashed password and salt are stored in the database. ... but then i'd need the salt to create a saltedhash to compare ...
    (microsoft.public.dotnet.framework.aspnet)