Dear Friends,
I have a question in security programming. As all of us know, when we have a database with passwords or anything sensitive, we would like to encrypt it so it is not readable by other. Now I want to know, which of the method is secured or less secured. Is it Iterative Salting (1000x iterative) or Encryption method such as SHA 256, MD5, and all others. Kindly give me your opinion on this please.
Thank you.
As far as I understand those things, you have to salt first, and then hash it - and not just md5, but really a lot of them mixed. It's a good idea to use someone else's security script, also.
Yes Mr Twiss... But I want to know if salt and hash alone is as equally secured as encryption alone? Any explaination for that Please?
Im sorry...correction in the post...
Is it Iterative Salting (1000x iterative) or Encryption method such as Blowfish, AES, DES and all others. Kindly give me your opinion on this please.
You shouldn't encrypt passwords, you should hash them.
How if I want to store the password in a database? What Should I do with the database? Encrypt or Hash? Sorry for asking too many probing questions Mr Twiss.. Thank you for your help though. :)
OK. What you need to do:
At password creation (registration or change)
- create a random salt (for example f4i, or whatever, it doesn't have to be long)
- insert into the database $salt . sha1($salt . $password) or $salt . sha1($salt . md5($salt . $password)) , whatever you like. It's best to create or use some function that uses as many md5 and sha1's as possible, perhaps 1000 or 5000 (something that takes a second or 2).
At login, retrieve the password from the database, get the first 3 (salt length) characters, calculate the same (above) and check if it matches.
Again, there are scripts available that do this for you and perhaps even more smart thing I can't think of.
Okay i got that Mr twiss... This is about hashing the password and retrieving it... Can I know if we can hash a database which Im going to use to store the user name and password?
You shouldn't hash the username, only the password, if that's what you're asking.
Ermm yes I am aware that I have to hash only the password... but how to give security to the database which im going to store the password? is hashing the database in whole is possible?
No, you should protect the database with a password, and make it accessible from localhost only. But if you're on a shared host that's most of the times been done already for you.
And, if you can, it's best to disable phpmyadmin and the like if your site goes live.
We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.