Comments on: Just Hashing is Far from Enough for Storing Passwords – How to Position against Dictionary and Rainbow Table Attacks

By: ralbon

ralbon — Mon, 15 Mar 2010 15:01:59 +0000

The problem is that if someone steals the database or somehow gains access to it, then application-level security measures (like a captcha) becomes totally moot.

By: cyberRoze

cyberRoze — Mon, 15 Mar 2010 07:05:44 +0000

that was great tip EllisGL, tnx

By: matth

matth — Thu, 11 Mar 2010 09:38:17 +0000

Hey guys seriously,
I don’t think saltiness is that safe. What about adding a captcha after 3 login mistakes?
This way is much simpler, faster on server side and nobody is gonna crack your password .
But well, maybe I’m missing the point.
Yes? No?

By: Yang Yang

Yang Yang — Thu, 11 Mar 2010 01:09:19 +0000

Awesome tip, thanks, Michiel!

By: MichielH

MichielH — Wed, 10 Mar 2010 15:38:15 +0000

It might be worth looking into PBKDF2 (RSA lab’s password based key derivation function). The function combines a good “salt function” (like hmac) with key strengthening. Add a strong hash function like Whirlpool and you’re good to go for a while :-). Someone posted an implementation of it on php.net at http://www.php.net/manual/en/function.hash-hmac.php#92684 .

By: Yang Yang

Yang Yang — Wed, 10 Mar 2010 04:06:26 +0000

Thanks for the comment, Josh.

However, random salting with lengthy salts can make the reverse-hashing so painfully time-consuming that 99.99% of the applications out there should have a good security bet with it. Because it’s just not worth it to spend so much time on cracking them.

No one nor any security approach can completely prevent cracking once and for all. We just increase the cost of cracking to an unbearable point. That’s what we do.

By: Josh Johnston

Josh Johnston — Tue, 09 Mar 2010 23:01:04 +0000

In the end, no amount of salting will keep a hashed password safe from a sufficiently powerful brute force attack. Your best bet is to prompt a user to reenter their password or some other identifying information whenever they are about to view or make any changes to sensitive information.

By: Kavoir.com: Just Hashing is Far from Enough for Storing Passwords (Dictionary & Rainbow Attacks) | Webs Developer

Tue, 09 Mar 2010 21:01:23 +0000

[...] Kavoir.com there’s a new post that reminds you that hashing isn’t enough anymore to protect your users and their passwords. They offer a suggestion or two of what you can do to [...]

By: PHP Security Checklist for Websites and Web Applications – Bottom Line for Every Good PHP Developer

Tue, 09 Mar 2010 05:35:52 +0000

[...] store plain text passwords in your database. Instead, salt and hash the passwords. Bottom line is sha1(). Better yet, use hash() with various more advanced algorithms. Never use [...]

By: Yang Yang

Yang Yang — Fri, 05 Mar 2010 00:41:20 +0000

Thanks Ellis, that’s a nice tip!

By: EllisGL

EllisGL — Thu, 04 Mar 2010 20:53:36 +0000

I usually try doing
$salted = hash(‘sha512′, $password.$userid.$username.$email.$joined.$lastLogin);

Each time they logged in the password would be re-saved with a fresh saltyness