How do big companies like VB store passwords? - Page 2

Mathew · 04-26-2008, 07:44 PM

I generate the dynamic hash from something that changes its value all the time. microtime() will do the trick here.

Also, you never unhash a password already hashed, what you want to do is hash the input password with the same algorithm and see if the passwords match each other.

Yes, I store the dynamic hash value in a field with in the users table row.

delayedinsanity · 04-26-2008, 08:07 PM

Yeah, I wrote that really quick on my way out the door to school. I worded myself wrong regarding "unhashing". So technically if a hacker gets your users table, they have part of the salt too, but chances are they don't even realize it, as I'm willing to bet you don't name it "password_salt".

-m

Mathew · 04-26-2008, 08:15 PM

If they got the users table along with the static hash, it would be virtually impossible for them to brute force the passwords anyway.

Since I am using microtime as a dynamic salt, if they wanted to try and brute force the passwords they would have to try each possible value that microtime can produce.

delayedinsanity : It would not matter what the column was named. If they were smart enough to hack into the database I do not think a renamed hash column would confuse them.

delayedinsanity · 04-26-2008, 08:20 PM

Well why couldn't it? If you used a regular unix timestamp or even mysql's datetime, which you could then translate into the timestamp, as your dynamic hash and had it stored in a field which was called say, "registered_on", how do they know you're using that as a salt? It just looks like you're recording the timestamp of when they signed up.

Security isn't just locking the door, sometimes it's making the door hard to find.
-m

sarmenhb · 04-27-2008, 10:26 PM

as for the formula that they use i doupt anyone knows that because its a secret, well unless you work for them.

its probably sha1 or something stronger but i dont think there are people out there trying to crack md5 or sha1 encryptions unless they have a real good reason.

so unless your trying to run something that stores a users account information that has to deal with money or very very personal information like social security etc.. then i wouldnt worry about making your database too security proof.

unless you get people from ha.ckers.org web application security lab trying to penetrate your web app and tell everyone about it

then i wouldnt worry so much.

blayne4k · 04-28-2008, 03:36 PM

Quote:

Originally Posted by Mathew

For my projects I use a combination of 2 salts (1 Static, 1 Dynamic). When a user registers to my website the backend will generate a random salt key for each user. Even if 2 different users register to my website with the same password, the resulting hash will be different.

So if the database was ever hacked or stolen, they would be missing the static salt key, thus it would prove to be impossible for them to bruteforce any of the passwords.

However I'll touch wood, just incase.

they could still brute force it, but they would need the salt in order to get it, they would see $password.$salt they could just start taking things off and see what happens. Even tho im sure nobody is stupid enough to just take the database without looking at the files. There is always something important there.