TalkPHP - View Single Post

Wildhoney · 11-20-2007, 02:45 PM

I think the best way would be to MD5 the passwords and then apply a salt to them. This will render the passwords useless if the database's security does get breached because although they have the password hashes, they'll be completely different from the hashes stored in Gmail and Hotmail, for instance, and thus no way to deduce any of the same passwords.

The good thing about the salting is that there's absolutely no way to extract the salt from the hash and therefore uncrackable - and even less crackable in the sense of hash lookups because these databases do not take into account salts. Consider a 5 character salt, this would add thousands, if not millions if you take into consideration non-alphanumerical characters, and so a lot of computing power would be required to, not only generate all the hashes for every single dictionary word, but every single salt for every single dictionary word. Meaning if you had the word duck then you'd need to compute the hash for duck 10,000 more times if that's how many salts are possible in the system you have/going to/don't stand a chance in hacking.

However, as we know, security is never that straightforward, and although individuals don't pay attention to advice such as this, I'll say it anyway. You can never trust the source on how your password is getting stored. Albeit I don't change my passwords from site-to-site, if I register with a website that I feel is important, I use a weak password that I use for all those that I couldn't give a monkeys about - and wouldn't lose any sleep over if someone had access to it. For all you know your password could be stored as plain-text, and as you've specified your email address to sign up with, access to your email inbox has now become a grave reality - sadly :(.

11-20-2007, 02:45 PM	#3 (permalink)
Wildhoney La Vida es Sueño Join Date: Sep 2007 Location: Oldham Posts: 2,280 Thanks: 90	I think the best way would be to MD5 the passwords and then apply a salt to them. This will render the passwords useless if the database's security does get breached because although they have the password hashes, they'll be completely different from the hashes stored in Gmail and Hotmail, for instance, and thus no way to deduce any of the same passwords. The good thing about the salting is that there's absolutely no way to extract the salt from the hash and therefore uncrackable - and even less crackable in the sense of hash lookups because these databases do not take into account salts. Consider a 5 character salt, this would add thousands, if not millions if you take into consideration non-alphanumerical characters, and so a lot of computing power would be required to, not only generate all the hashes for every single dictionary word, but every single salt for every single dictionary word. Meaning if you had the word duck then you'd need to compute the hash for duck 10,000 more times if that's how many salts are possible in the system you have/going to/don't stand a chance in hacking. However, as we know, security is never that straightforward, and although individuals don't pay attention to advice such as this, I'll say it anyway. You can never trust the source on how your password is getting stored. Albeit I don't change my passwords from site-to-site, if I register with a website that I feel is important, I use a weak password that I use for all those that I couldn't give a monkeys about - and wouldn't lose any sleep over if someone had access to it. For all you know your password could be stored as plain-text, and as you've specified your email address to sign up with, access to your email inbox has now become a grave reality - sadly :(. __________________ The man who comes back through the Door in the Wall will never be quite the same as the man who went out.