Re: Is this secure

From: Ray Booysen <rj_booysen_NS@xxxxxxxxxx>
Date: Thu, 11 May 2006 13:41:26 +0100

Gef.Mongoose@xxxxxxxxx wrote:

Ray Booysen wrote:
Gef.Mongoose@xxxxxxxxx wrote:
What would be considered a secure way to store passwords?

Paul

Hi Gef

I use SHA1 to hash my passwords. When a user is created on my site, his
password prefixed with a randomly generated salt and hashed with SHA1.
Both the hashed password and salt are stored in the database.

When the user logs in, his password is sent to the SQL server in plain
text through a stored proc and the stored procedure returns whether it
is correct or not, the salt and hash never leave the database once there.

If the user changes their password a new salt is generated and stored
again in the database.

Hope this helps.

Regards
Ray

Hi Ray,

I've created a class to create a random salt, use it with a password
to created a salted hash and then put it and the salt into the db.
I'm curious as to what stored proc you use to validate a login
password. When the user wishes to log in, they will supply their
password, but then i'd need the salt to create a saltedhash to compare
against the one in the database. Wouldn't this mean pulling the salt
for the uer out to create the saltedhash?

Paul

For the case of authenticating, the user name and password is passed to the database. In the stored proc, the password is salted with the stored salt and hashed. Then this hash is compared to the stored hashed password. If they are the same, you can pass back true or 1 or whatever you want.

Let me know if you need any other info! :)

Regards
Ray
.

Follow-Ups:
- Re: Is this secure
  - From: Gef . Mongoose

References:
- Is this secure
  - From: Gef . Mongoose
- Re: Is this secure
  - From: Gef . Mongoose
- Re: Is this secure
  - From: Ray Booysen
- Re: Is this secure
  - From: Gef . Mongoose

Prev by Date: Re: Is this secure
Next by Date: Web Deployment Project
Previous by thread: Re: Is this secure
Next by thread: Re: Is this secure
Index(es):
- Date
- Thread

Relevant Pages

Re: Is this secure
... I use SHA1 to hash my passwords. ... Both the hashed password and salt are stored in the database. ... but then i'd need the salt to create a saltedhash to compare ...
(microsoft.public.dotnet.framework.aspnet)
Re: Is this secure
... I use SHA1 to hash my passwords. ... Both the hashed password and salt are stored in the database. ... but then i'd need the salt to create a saltedhash to compare ...
(microsoft.public.dotnet.framework.aspnet)
Re: Simple VB.NET Web Application Encryption/Decryption of password
... It looks like Michael answered your second question. ... contains a hash and salt, you would return a byte array containing the hash ... SQL 6.5 (it depends on some database settings, ...
(microsoft.public.dotnet.security)
Re: Is this secure
... What I do in my business layer I get the salt, then I use my custom classes ... to hash the passed in password then send the Hash to a Stored Proc to ... Both the hashed password and salt are stored in the database. ... but then i'd need the salt to create a saltedhash to ...
(microsoft.public.dotnet.framework.aspnet)
Re: Can Kerberos be cracked??
... Subject: Can Kerberos be cracked?? ... A "salt" is a "random" value that is appended to the ... possible for you to dictionary-crack my password unless you know the ... >> In order to get the hash you would need to launch a brute force attack ...
(Focus-Microsoft)