Newgrounds.com — Everything, By Everyone.

Hey guys, I'm building a blog system for my site and was wondering what you guys recommend for hashing user passwords.

Right now I am using md5. I just want to know if there is anything stronger or just better. I'm not too worried about my DB being compromised, but if there is a better way to hash passwords I'd like to use it anyway.

Thanks!

SHA is stronger than MD5.

MD5 is 128-bit, SHA-0/1 is 160-bit and SHA-2 can be 224, 256, 384 and 512-bit.

SHA-1 is the most commonly used I believe.

Regardless if you're using MD5 or SHA1, or any other form of encryption, it's recommended to add a SALT to the line. Example:

md5("234fsda{}fdsaf3" . $passw . "fsa1FDSAD");

or something even like this:

md5("fsdaFDSF234" . md5 ($passw) . "fFSDF324f");

Good luck!

Why would you want to hash passwords? You never know when your db will come in handy.

At 9/3/09 07:35 AM, Pasty-Flawss wrote: Why would you want to hash passwords? You never know when your db will come in handy.

....what?

At 9/3/09 07:35 AM, Pasty-Flawss wrote: Why would you want to hash passwords? You never know when your db will come in handy.

I don't hash passwords in the database either. I simply don't see the point. It makes maintining the site alot harder for the administrators (like you don't have to make an elaborate scheme to resend or reset passwords if someone forgets their password) with nearly no benefit. It's simple to hide the password from the administrators of the site anyway, and if someone actually gains access to your database, the customers' passwords are the least of your concerns

At 9/3/09 08:19 AM, CronoMan wrote: I don't hash passwords in the database either. I simply don't see the point.

Its the law! If your gonna store peoples information, it has to be stored in a secure way. Now obviously you cant encrypt everything, but it is well know and sadly accepted that people will use the same password for multiple things. If someone acesses your database then the law comes down on you for compromising all your users.

At 9/3/09 08:19 AM, CronoMan wrote: I don't hash passwords in the database either. I simply don't see the point. It makes maintining the site alot harder for the administrators (like you don't have to make an elaborate scheme to resend or reset passwords if someone forgets their password) with nearly no benefit. It's simple to hide the password from the administrators of the site anyway, and if someone actually gains access to your database, the customers' passwords are the least of your concerns

You're breaking the law, you know that right? It's your legal obligation to keep everything secure. Furthermore, if I join a website I DO NOT expected the admins to be able to use my password, if someone hacks into your database then they have free access to the password of every user; most internet users have the same password eveywhere.

Saving yourself from a few extra queries and totally ignoring security is an awful move.

At 9/3/09 08:31 AM, citricsquid wrote: You're breaking the law, you know that right?

You're not required by any law to encrypt the password.
Have you ever seen a site where you can request your password, and they will send you your password (that you originally sent) by email? Are they breaking the law?
Aren't everyone actually breaking the law by sending the password unencrypted over the internet each and every time any one logs on a site without SSL?
Is everyone breaking the law? Is it illegal to have a website without SSL?

I think not :P

Fact is that a password for a website is not the same as a credit card number. Now a credit card number, I can agree with; but it's illegal to store that information at all, unless you have the correct permissions from the government and credit card companies. Same with social security numbers etc.
But it is basically each individuals responsibility to chose to keep their internet anonymity. If your password gets compromised, and you use the same password everywhere; it's basically your own fault. It's like keeping your pin number in your wallet - I bet your bank won't give you any money back if your wallet gets stolen in that instance

Fact is that there is no laws regulating storage of passwords on the internet, nor should there be. A password is not a part of anyone's identity

Just because human stupidity is to blame, doesn't mean you're legally in the wrong. If I post my password here and you use it to empty out my Paypal you're still breaking the law, it might be my fault but legally it's you who committed a crime. If you store a password in plain text and then someone comes along and takes it from the database and uses it to steal money, you caused it and therefore you're to blame, regardless of how much of a moron the person who uses the same password is.

At 9/3/09 11:16 AM, citricsquid wrote: Just because human stupidity is to blame, doesn't mean you're legally in the wrong. If I post my password here and you use it to empty out my Paypal you're still breaking the law, it might be my fault but legally it's you who committed a crime. If you store a password in plain text and then someone comes along and takes it from the database and uses it to steal money, you caused it and therefore you're to blame, regardless of how much of a moron the person who uses the same password is.

There is no such thing as the internet police
Laws and regulations depends on the country the server is located in
Most countries (if not all) have no laws regarding storage of passwords. Password, by law, is not considered sensitive information; a password does not automatically grant anyone any sensitive information about another person, therefore it is not considered sensitive information. Besides, there are simpler ways of retrieving people's passwords than hacking into a database. If passwords were indeed sensitive information as you claim, all websites storing passwords (encrypted or not) would require encryption during transport as well. If you can just pick up the password by sniffing on port 80, there's really no reason to believe that the database is the main source of insecurity

Let me give an easy example :
If somebody takes your password, and posts it on a forum, good luck in getting the police involved

At 9/3/09 11:58 AM, CronoMan wrote: Let me give an easy example :
If somebody takes your password, and posts it on a forum, good luck in getting the police involved

If I signed up to your website and then you took my password from your database and signed into my Paypal and took $1000, I'm sure you would be prosecuted, I'm also sure if you gave it to someone else and they did it you'd be legally accountable.

At 9/3/09 12:03 PM, citricsquid wrote: If I signed up to your website and then you took my password from your database and signed into my Paypal and took $1000, I'm sure you would be prosecuted, I'm also sure if you gave it to someone else and they did it you'd be legally accountable.

If I took your password from the database, and signed in to your paypal account and took $1000, I'm stealing from you. Yes, then I am in fact accountable. If you register yourself as a customer on my website, and you use the same username and password there as for your paypal account, and somebody hacks the database, uses that information to deduct money from your account;
1) Don't use the same password for transactional purposes and everyday websites
2) People who break into websites and steal passwords for personal gain are the criminals

I'm very certain that you won't be able to find any law that says that passwords are considered sensitive information. Remember that data that is protected by law (ie. credit card numbers and social security numbers) is information that does not directly belong to you. They are protected because it belongs to the banks, insurance companies and the government, and is protected for their sake, not for yours. Individuals have more or less no protection on the internet, and anonymity is not a right you have, and is not in most circumstances protected by law

Basically, there is no code of laws that dictate how passwords should be stored; however, there is for credit card numbers and social security numbers, for the abovementioned reason

At 9/3/09 11:51 AM, CronoMan wrote: There is no such thing as the internet police

Theirs not, but in the UK their is the data protection act 1998

You have to justify or give a good reason as to why your storing the data that you are.
You have the responsibility of maintaining that data (keeping it up to date)
You have to keep all data you store secure from unauthorised access (that means you have to store sensitive data securely)
You also have to destroy any data that you no longer require or can justify keeping.

Thats the main points, I'm sure theirs more specific things when it comes to authentication standards, but as far as storing data goes, this is what is required for people in the UK and if your a webmaster from outside the UK serving to UK users you should have something equivalent in your terms of use.

As for people entering their data unencrypted over the net, they are not breaking the law as it is their own data and they are not storing it :)

I don't see how hashing a password at any point in the process is secure. Either way, a man in the middle attack intercepts the password and passes it on in whatever state its in at the right point.

If the passwords are stored hashed, you send the hashed password. If they are stored unhashed you get that one and send it.

Unless you're using encryption certificates, which are becoming less and less secure, I don't see how you plan to keep any information secret at all.

Feel free to explain it to me though.

Short scenario:

Guy gets lucky, runs with your database.
If you store password hashes and add a salt he can't get the password, if you don't then he can.

At 9/4/09 02:51 AM, kiwi-kiwi wrote: If you store password hashes and add a salt he can't get the password, if you don't then he can.

Like no shit? Are you being deep?

If he runs with your database, you're so fucked you couldn't care less about people's passwords.
The point is, chances are he doesn't, so the argument is not important either way.

At 9/4/09 03:18 AM, GustTheASGuy wrote:

If he runs with your database, you're so fucked you couldn't care less about people's passwords.
The point is, chances are he doesn't, so the argument is not important either way.

The point here is that yes you're still fucked, he has your database, access to your database, he can pretty much fuck up all your site, he's probably gonna have their email addresses too, but at least those users you don't seem to think about won't have their passwords stolen.

so legally we can do what the fuck we want with user passwords? Sounds ridiculous to me, but not impossible, the law is years behind the internet.

double post, sorry.

At 9/4/09 03:18 AM, GustTheASGuy wrote: If he runs with your database, you're so fucked you couldn't care less about people's passwords.
The point is, chances are he doesn't, so the argument is not important either way.

I disagree with this, anyone who cares about the contents of their database will have backups - nightly, every few hours, whatever - so if someone does get into your database all they can do is cause a few hours of annoyance. If you're storing your passwords unencrypted you're really fucked, all the person in your database has to do is take a dump of all the passwords, wait until you restore your website and start fucking with the user accounts.

I'd love to see you try and explain to your users "Yeah, we got hacked and now someone has all your passwords so you better change them, oh and trust my website!". There are so many times when this happens; take webhostingtalk.com, their database got hacked and the entire contents taken, the passwords of over 200,000 users were put up for download on places like rapidshare, you know the only thing that saved them? The passwords were encrypted, can you imagine what would have happened if they weren't?

Exactly, not encrypting is fucking stupid.

I've made thousands of dollars off of not encrypting. It's funny how silly some people are, giving me there paypal email and password when they sign up. I only take about 500 dollars from everyone I hack so they don't bother sewing me. I've made about 40,000 already :)

At 9/4/09 07:55 AM, Pasty-Flawss wrote: I only take about 500 dollars from everyone I hack so they don't bother sewing me. I've made about 40,000 already :)

K.

here here points will be blood made in this thread the morra, for the purposes of informing the peopel who are asking questuons and deserve a decent answer ALL RIGHTY THEN

nae caps :P

Thanks for the feedback guys.

I had no idea this would have any sort of debate to it. I just figured it was just common sense to protect user information. I don't care if it is not a law or not to do so, I am going to keep user passwords hashed...

At 9/5/09 12:04 PM, Aksumka wrote: Thanks for the feedback guys.

I had no idea this would have any sort of debate to it. I just figured it was just common sense to protect user information. I don't care if it is not a law or not to do so, I am going to keep user passwords hashed...

Excellent choice!

I think you made the right choice. Also, you should definitely use SHA.

At 9/4/09 07:55 AM, Pasty-Flawss wrote: I've made thousands of dollars off of not encrypting. It's funny how silly some people are, giving me there paypal email and password when they sign up. I only take about 500 dollars from everyone I hack so they don't bother sewing me. I've made about 40,000 already :)

Unless you're joking, this is evidence, mind you.

Why are people so stupid?

At 9/5/09 12:57 PM, Wonderful wrote: Why are people so stupid?

While I don't condemn hackers, I certainly don't condone bragging about it.

I'm pretty sure it was a troll attempt thought.

You could encrypt them, but not hash them. That way, unless someone has the encryption key, then they can't access them anyway.