How not to store passwords.

Jian

Resident Weeb
Contributor
Sep 2, 2011
687
437
I have found this video on Computerphile, which teaches us things about computer and programming.

I have picked out this video as it will help you guys (The new developers) on how NOT to store password and how to store them in the recommended way.
 

GarettM

Posting Freak
Aug 5, 2010
833
136
So basically a good practice would be to hash your clients passwords with there email or username then encrypt with md5 or sha1? Stay away from normal encryptions loll I am knew using strait md5 and sha1 was bad but I didn't know a few things in the video. Thanks this helped
 

Jian

Resident Weeb
Contributor
Sep 2, 2011
687
437
So basically a good practice would be to hash your clients passwords with there email or username then encrypt with md5 or sha1? Stay away from normal encryptions loll I am knew using strait md5 and sha1 was bad but I didn't know a few things in the video. Thanks this helped
No.
Their explanation:
Do NOT hash their username or email together with your password. INSTEAD, create salts and hash them together under a few layers of hash.
 

GarettM

Posting Freak
Aug 5, 2010
833
136
No.
Their explanation:
Do NOT hash their username or email together with your password. INSTEAD, create salts and hash them together under a few layers of hash.
Kinda confusing :/ could you show an example of correct salt and hash method in php as an example then?

Also if you hashed a password with there email and then encrypted it every password would be different? I know that a standardly we don't allow the same email to register twice.
 

Jian

Resident Weeb
Contributor
Sep 2, 2011
687
437
Something like this:
PHP:
<?php
  //Password
  $password = 'this_is_my_password';

  //Creating SIMPLE salts.
  $salt_1 = sha1(uniqid());
  $salt_2 = sha1(time());

  $new_password = $salt_1 . $password . $salt_2;

  $hashed_password = sha1(md5($new_password));

  echo $hashed_password;

?>
But of course, this is just a simple concept, do not use this in practice.
 
Last edited:

Markshall

Русский Стандарт
Contributor
Dec 18, 2010
2,638
2,393
PjC0eVb.png


Looks like he is doing one of them fucking stupid poses that girls do.
 

Markshall

Русский Стандарт
Contributor
Dec 18, 2010
2,638
2,393
Something like this:
PHP:
<?php
  //Password
  $password = 'this_is_my_password';

  //Creating SIMPLE salts.
  $salt_1 = sha1(uniqid());
  $salt_2 = sha1(time());

  $new_password = $salt_1 . $password . $salt_2;

  $hashed_password = sha1(md5($new_password));

  echo $hashed_password;

?>
Bad idea to base the salts on a time/date etc, because when you come back to compare, they will be different.
 

Ecko

23:37 [autobots] -!- eckostylez [[email protected]]
Nov 25, 2012
1,398
962
Something like this:
PHP:
<?php
  //Password
  $password = 'this_is_my_password';

  //Creating SIMPLE salts.
  $salt_1 = sha1(uniqid());
  $salt_2 = sha1(time());

  $new_password = $salt_1 . $password . $salt_2;

  $hashed_password = sha1(md5($new_password));

  echo $hashed_password;

?>
sha1 is , stop using it. learn how to use bcrypt or PBKDF2
 

Ecko

23:37 [autobots] -!- eckostylez [[email protected]]
Nov 25, 2012
1,398
962
If you are using PHP 5.5 you can use its function. It's possible to create your own salt for this function, but not recommended. On Linux, it will use to generate a random, secure salt. On Windows, it uses to generate the salt. I would rather omit the salt parameter so that a cryptographically safe salt is generated by the OS. If you run your own server and are running a lower version of PHP, upgrade.

 

Users who are viewing this thread

Top