Hashing and salting user passwords


Post #: 31
Post type: Blog post
Date: 2012-10-04 00:01:50.000
Author: Rocket Man

It's generally considered to be a bad idea to keep clear-text passwords in your database. If the database is ever compromised, hackers will have everyone's passwords.

What most sites do is hash the passwords using a one-way algorithm, like SHA1, which is a 160-bit encryption. Newlisp has a SHA1 function included in the module crypto.lsp.

Unfortunately, hackers these days use dictionary-based attacks, where they take every word in the dictionary (and many common password combinations that include numbers or years) and then just run them through SHA1 or the equivalent, and check to see if they match the compromised stored password hash.

To prevent this, people have been adding salt to the passwords and then encrypting THAT. Salt is just a random number. Each user gets its own Salt, which is stored in the user database. This way, attackers would have to run separate dictionary attacks for every user, and that's assuming they know the salting algorithm.

I found a great article on password security here: http://phpsec.org/articles/2005/password-hashing.html

It outlines the whole process and shows how to handle it in PHP. I'm building in the equivalent in Rockets using newLISP code, which will be part of the user sign in process.


View this post in the forums

Views: 6028