SitePoint Sponsor

User Tag List

Results 1 to 4 of 4

Thread: store password

  1. #1
    PEACE WILL WIN abalfazl's Avatar
    Join Date
    Feb 2005
    Location
    Beyond the seas there is a town
    Posts
    711
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    store password

    Hello!


    Can you avoid storing the secret?
    If you use an alternative implementation technique, it could remove the need to
    store secrets. For example, if all you need to do is verify that a user knows a
    password, you do not need to store passwords. Store one-way password hashes
    instead.
    Also, if you use Windows authentication, you avoid storing connection strings
    with embedded credentials.
    What is "one-way password hashes"? Which "alternative implementation techniques" Do you suggest for store password?


    Do You Store Secrets?
    Secrets include application configuration data, such as account passwords and
    encryption keys. If possible, identify alternate design approaches that remove any
    reason to store secrets. If you handle secrets, let the platform handle them so that the
    burden is lifted from your application wherever possible.
    May someone explain more about this:" If you handle secrets, let the platform handle them so that the
    burden is lifted from your application wherever possible"
    I shall build a boat,I shall cast it in the water,
    I shall sail away from this strange earth,
    Where no one awaken the heroes in the wood of love

  2. #2
    SitePoint Member
    Join Date
    Sep 2008
    Posts
    8
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Well really the author is trying to say (I hope) is that you should leave the cryptographic stuff to the cryptographers, so don't make your own password storage/hashing scheme.

    One way hashes are "one-way" eg. MD5 etc. *ttp://en.wikipedia.org/wiki/Cryptographic_hash_function

    As for what "alternative implementation techniques", all depends on what you are doing.

  3. #3
    SitePoint Member
    Join Date
    Jul 2007
    Posts
    19
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    A one-way hash is a cryptographic function that can't be reversed. The same text always produces the same hash, but if you look at the hash, it is not feasible to know what the original text was. Some one-way hash functions are MD5, SHA1, and SHA2.

    Hashes are commonly used to store passwords because each time the password is entered, you can verify it by hashing it and comparing it to the old hash, since it will always produce the same result. If someone compromises your system and gets the hash, it should not be possible to find out what the original password was.

  4. #4
    SitePoint Wizard
    Join Date
    Mar 2008
    Posts
    1,149
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Unless they have a rainbow table and the passwords are simple. However, salting takes care of that.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •