d2jsp
Log InRegister
d2jsp Forums > Off-Topic > Computers & IT > Programming & Development > Hashing Passwords > Which Is Enough?
Add Reply New Topic New Poll
Member
Posts: 8,724
Joined: Oct 20 2007
Gold: 2,794.65
Jun 24 2012 02:13pm
So people can register on my site and I'm wondering how to store the passwordsy. Which hashing algorithm should I use? I was going to use SHA but php has a few different versions of it I think.

algorithm / produced hash length

sha1 / 40
sha256 / 64
sha384 / 96
sha512 / 128

Which one should I use?
Member
Posts: 219
Joined: Jun 8 2012
Gold: 96.00
Jun 24 2012 02:18pm
sha256 is enough. Also, use salt.
Banned
Posts: 2,525
Joined: Jan 2 2012
Gold: 0.01
Warn: 10%
Jun 24 2012 03:06pm
Quote (Perykles @ 24 Jun 2012 21:18)
sha256 is enough. Also, use salt.


lol

@OP: pbkdf2 with sha512 (I *do not* mean to use sha512. I mean to use pbkdf2 with sha512!)
Member
Posts: 22,605
Joined: Sep 23 2007
Gold: 1.01
Warn: 40%
Jun 24 2012 03:27pm
Quote (Perykles @ 24 Jun 2012 22:18)
sha256 is enough. Also, use salt.


using a weak hash function makes no sense at all.
using pbkdf2 or another slow hashing function (there are a few which have been excessively tested) makes more sense.
Member
Posts: 219
Joined: Jun 8 2012
Gold: 96.00
Jun 24 2012 04:51pm
Oh, good to know, thx ;d
Member
Posts: 22,605
Joined: Sep 23 2007
Gold: 1.01
Warn: 40%
Jun 24 2012 04:57pm
Quote (Perykles @ 25 Jun 2012 00:51)
Oh, good to know, thx ;d


well, don't overdo it - if you use pbkdf2 with too many iterations it will get very slow, which is actually good for security.
but it's also good for attackers who ddos your site - they just have to send a few login requests and your site will be busy checking the passwords.
for bruteforce attacks directly through the login form it's easier to add another security mechanism, for example a waiting time (3 seconds is not much for a human user who knows the pw, but it's too long for a bruteforce bot).
if an attacker gets access to the database, he will be able to do fast bruteforce attacks, unless you are using a slow hasing method. this is where pbkdf2 is good.
if you want to see an example of a waiting time for login form let me know ;)

This post was edited by tcl on Jun 24 2012 04:58pm
Member
Posts: 219
Joined: Jun 8 2012
Gold: 96.00
Jun 24 2012 05:34pm
Oh, no, thanks, I've been implementing waiting time myself. Just didn't really care about hashing functions...I thought sha256 + salt is completely enough, but I see it's time to reasearch more on this.
Member
Posts: 22,605
Joined: Sep 23 2007
Gold: 1.01
Warn: 40%
Jun 24 2012 05:41pm
Quote (Perykles @ 25 Jun 2012 01:34)
Oh, no, thanks, I've been implementing waiting time myself. Just didn't really care about hashing functions...I thought sha256 + salt is completely enough, but I see it's time to reasearch more on this.


The most important part is to prevent attackers from etting access to the database. For the DB you can use passwords like ")) i95 JJ4`3j3;;§mkk:L2 dw32" since you do not enter have to enter them every now and then.
If someone gets full access to your server (database and all scripts), you already did something wrong. This is the part where a strong hasing function like pbkdf2 does its job.
If you use timered login, it costs too much time to try many passwords. I use a 5 seconds timer, displayed with javascript. The actual timer is done serverside and cannot be bypassed.
I use that timer for logins, account registration, contact form and password recovery. I used captchas before, but captchas are annoying and not safe at all.
Additional to that, I did more things to make the forms I just mentioned harder to fill out for bots. Humans do not notice anything, except the javascript countdown.
Any information sent to the site before the timer runs out gets ignored by the server.
Go Back To Programming & Development Topic List
Add Reply New Topic New Poll