Pages:
Author

Topic: Public Safety Announcement: On the subject of password security - page 4. (Read 5912 times)

legendary
Activity: 1658
Merit: 1001
If you can run that same thing 5 passes... do it!

Aren't you reducing your key space then? Making it less secure.
sr. member
Activity: 371
Merit: 250
Please, service providers...  Use the best possible solution available!

If you can use multiple SHA512 hashes with each different unique salts form different sections of passwords... do it! If you can run that same thing 5 passes... do it!

Don't just go with MD5 + usalt because "no-one will ever get the database". Always prepare for the worst case scenario. HAve graceful hash updates! If a better hashing method becomes available, make users reset their password! (Or have it be done automatically on log in using submitted password for 30 days, and after that time, require reset.)

Thanks for listening, do shout at me if you think this is stupid advice! Smiley

Of course users should:

1)  Have a 15+ character password.
2)  Have that password contain a minimum of 2 digits, 2 upper, 2 lower, 2 symbols, none repeating
3)  Have that password be unique to that site

Then you have very little to worry about, unless of course it is stored in clear text.

If only people didn't get annoyed when you try to enforce restrictions. Sad
member
Activity: 84
Merit: 10
Please, service providers...  Use the best possible solution available!

If you can use multiple SHA512 hashes with each different unique salts form different sections of passwords... do it! If you can run that same thing 5 passes... do it!

Don't just go with MD5 + usalt because "no-one will ever get the database". Always prepare for the worst case scenario. HAve graceful hash updates! If a better hashing method becomes available, make users reset their password! (Or have it be done automatically on log in using submitted password for 30 days, and after that time, require reset.)

Thanks for listening, do shout at me if you think this is stupid advice! Smiley

Of course users should:

1)  Have a 15+ character password.
2)  Have that password contain a minimum of 2 digits, 2 upper, 2 lower, 2 symbols, none repeating
3)  Have that password be unique to that site

Then you have very little to worry about, unless of course it is stored in clear text.
newbie
Activity: 35
Merit: 0
Dual salts would also be good, where one of the salts set in source code. If only the database is compromised, the passwords are safe.
sr. member
Activity: 371
Merit: 250
Please, service providers...  Use the best possible solution available!

If you can use multiple SHA512 hashes with each different unique salts form different sections of passwords... do it! If you can run that same thing 5 passes... do it!

Don't just go with MD5 + usalt because "no-one will ever get the database". Always prepare for the worst case scenario. HAve graceful hash updates! If a better hashing method becomes available, make users reset their password! (Or have it be done automatically on log in using submitted password for 30 days, and after that time, require reset.)

Thanks for listening, do shout at me if you think this is stupid advice! Smiley
Pages:
Jump to: