Storing passwords

From: David Wheeler (dwheeler@ida.org)
Date: 08/23/02

Previous message: Mario Torre: "Re: Encryption approach to secure web applications"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 23 Aug 2002 09:23:57 -0400
From: David Wheeler <dwheeler@ida.org>
To: secprog@securityfocus.com

The standard way to store passwords is... not to
store passwords. Instead, store a salted hash of
the password in a database. When you get a purported
password, you re-salt it, compute the hash, and
determine if they are the same. This is how
Unix has done it for years. You want bigger hashes
and salts than the old Unix systems, and you still want
to prevent reading from those files (to foil password crackers).
More info is in my book at:
http://www.dwheeler.com/secure-programs

--- David A. Wheeler
dwheeler@ida.org

Previous message: Mario Torre: "Re: Encryption approach to secure web applications"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

server authentication & ASP authentication
... >I am designing quite a big database, about 50 tables, ... and send login and password entered by the user ... either in ASP ... I still need to store passwords ...
(microsoft.public.sqlserver.security)
server authentication & ASP authentication
... I am designing quite a big database, about 50 tables, about 120 users ... I don't store passwords either in ASP ...
(microsoft.public.sqlserver.security)
Re: [PHP] Breaking lines - att. Richard Lynch
... I tend to store passwords in mysql as hashed values, ... entering it into the database. ... good book - PHP Security by O'Reilly being a good choice for starters. ...
(php.general)
Re: Another lousy Borland experience
... the database. ... It's never a good practice to store passwords. ... Nick Hodges ...
(borland.public.delphi.non-technical)