Re: Is this secure
- From: Gef.Mongoose@xxxxxxxxx
- Date: 11 May 2006 05:31:20 -0700
Ray Booysen wrote:
Gef.Mongoose@xxxxxxxxx wrote:
What would be considered a secure way to store passwords?Hi Gef
Paul
I use SHA1 to hash my passwords. When a user is created on my site, his
password prefixed with a randomly generated salt and hashed with SHA1.
Both the hashed password and salt are stored in the database.
When the user logs in, his password is sent to the SQL server in plain
text through a stored proc and the stored procedure returns whether it
is correct or not, the salt and hash never leave the database once there.
If the user changes their password a new salt is generated and stored
again in the database.
Hope this helps.
Regards
Ray
Hi Ray,
I've created a class to create a random salt, use it with a password
to created a salted hash and then put it and the salt into the db.
I'm curious as to what stored proc you use to validate a login
password. When the user wishes to log in, they will supply their
password, but then i'd need the salt to create a saltedhash to compare
against the one in the database. Wouldn't this mean pulling the salt
for the uer out to create the saltedhash?
Paul
.
- Follow-Ups:
- Re: Is this secure
- From: Ray Booysen
- Re: Is this secure
- References:
- Is this secure
- From: Gef . Mongoose
- Re: Is this secure
- From: Gef . Mongoose
- Re: Is this secure
- From: Ray Booysen
- Is this secure
- Prev by Date: bump shell commands via ASP
- Next by Date: Re: Is this secure
- Previous by thread: Re: Is this secure
- Next by thread: Re: Is this secure
- Index(es):
Relevant Pages
|
