How not to store passwords.

[Jian]

I have found this video on Computerphile, which teaches us things about computer and programming.

I have picked out this video as it will help you guys (The new developers) on how NOT to store password and how to store them in the recommended way.

 

[GarettM]

So basically a good practice would be to hash your clients passwords with there email or username then encrypt with md5 or sha1? Stay away from normal encryptions loll I am knew using strait md5 and sha1 was bad but I didn't know a few things in the video. Thanks this helped

 

[Jian]

So basically a good practice would be to hash your clients passwords with there email or username then encrypt with md5 or sha1? Stay away from normal encryptions loll I am knew using strait md5 and sha1 was bad but I didn't know a few things in the video. Thanks this helped

No.
Their explanation:
Do NOT hash their username or email together with your password. INSTEAD, create salts and hash them together under a few layers of hash.

 

[GarettM]

No.
Their explanation:
Do NOT hash their username or email together with your password. INSTEAD, create salts and hash them together under a few layers of hash.

Kinda confusing :/ could you show an example of correct salt and hash method in php as an example then?

Also if you hashed a password with there email and then encrypted it every password would be different? I know that a standardly we don't allow the same email to register twice.

 

[Jian]

Something like this:

<?php
  //Password
  $password = 'this_is_my_password';

  //Creating SIMPLE salts.
  $salt_1 = sha1(uniqid());
  $salt_2 = sha1(time());

  $new_password = $salt_1 . $password . $salt_2;

  $hashed_password = sha1(md5($new_password));

  echo $hashed_password;

?>

But of course, this is just a simple concept, do not use this in practice.

 

[Markshall]

Looks like he is doing one of them fucking stupid poses that girls do.

 

[Joopie]

I suggest you should look up PHP crypt. Random salts for life

 

[Markshall]

Something like this:

<?php
  //Password
  $password = 'this_is_my_password';

  //Creating SIMPLE salts.
  $salt_1 = sha1(uniqid());
  $salt_2 = sha1(time());

  $new_password = $salt_1 . $password . $salt_2;

  $hashed_password = sha1(md5($new_password));

  echo $hashed_password;

?>

Bad idea to base the salts on a time/date etc, because when you come back to compare, they will be different.

 

[Ecko]

Something like this:

<?php
  //Password
  $password = 'this_is_my_password';

  //Creating SIMPLE salts.
  $salt_1 = sha1(uniqid());
  $salt_2 = sha1(time());

  $new_password = $salt_1 . $password . $salt_2;

  $hashed_password = sha1(md5($new_password));

  echo $hashed_password;

?>

sha1 is

You must be registered for see links

, stop using it. learn how to use bcrypt or PBKDF2

 

[Markshall]

openssl_random_pseudo_bytes()

 

[Macemore]

use 4096 bit RSA encryption.

 

[Ecko]

If you are using PHP 5.5 you can use its

You must be registered for see links

function. It's possible to create your own salt for this function, but not recommended. On Linux, it will use

You must be registered for see links

to generate a random, secure salt. On Windows, it uses

You must be registered for see links

to generate the salt. I would rather omit the salt parameter so that a cryptographically safe salt is generated by the OS. If you run your own server and are running a lower version of PHP, upgrade.

You must be registered for see links