In this article I’m going to cover password hashing, a subject which is often poorly understood by
newer developers. Recently I’ve been asked to look at several web applications which all had the same security issue - user profiles stored in a database with plain text passwords. Password hashing is a way of encrypting a password before it’s stored so that if your database gets into the wrong hands, the damage is limited. Hashing is nothing new - it’s been in use in Unix system password files since long before my time, and quite probably in other systems long before that. In this article I’ll explain what a hash is, why you want to use them instead of storing real passwords in your applications, and give you some examples of how to implement password hashing in PHP and MySQL.
As you read on you’ll see that I advocate the use of a hashing algorithm called Secure Hashing Algorithm 1 (or SHA-1). Since I wrote this article, a team of researchers - Xiaoyun Wang, Yiqun Lisa Yin, and Hongbo Yu - have shown SHA-1 to be weaker than was previously thought. This means that for certain purposes such as digital signatures, stronger algorithms like SHA-256 and SHA-512 are now being recommended. For generating password hashes, SHA-1 still provides a more than adequate level of security for most applications today. You should be aware of this issue however and begin to think about using stronger algorithms in your code as they become more readily available. PHP Security Consortium: Password Hashing
From around the Web
- Windows Vista Service Pack 2 Latest Release Schedule
- Vista SP2: What is inside?
- NetWitness releases free version of security software
- Three Reasons Why Users Won’t Buy Into Security
- Automated security testing & its limitations
- Google Wants to Preinstall Chrome Browser on PCs
- Mozilla warns of Firefox China add on
- Firefox No Longer an Automatic Defense Against Browser Drive Bys
- Google patches Chrome file stealing bug
- Apple plays catch up, adds anti fraud safeguard to Safari
- Researchers find vulnerability in Windows Vista
- How to Use Network Behavior Analysis Tools
- The insider security threat in IT and financial services
- Windows 7 security: An overall improvement?
- Windows 7 UAC could be less of a nag
0 comments for this entry ↓
There are no comments yet for this entry.
You must log in to post a comment.