storing passwords

[mpharo]

I am working on a new login scheme and am having a debate with a co-worker on how to properly secure a password in the database.

 

My theory is to use a SSL cert to encrypt the information over the wire and then use the md5 encryption to store it in the database. He claims storing it in this method allows for decryption of the password if there is a SQL Injection hack. I say yes that it is possible to do so but as long as you protect the best you can aginst SQL Injects this is the best method to store the password.

 

Any ideas??

[discomatt]

No, md5 is a one-way hash, not an encryption.

 

There are things called 'rainbow tables' though, that have pretty much every possible hash... this allows a bruteforce-like attack to be done extremely quickly because the hashing is already done. These are very common for md5, and sha1 tables are even starting to show up.

 

If someone manages to inject code into a query, you have more issues than user's passwords... but storing them in plain text is still a bad idea.

 

The most secure method is to use a salted hash. Read more about it here (different language, concepts are the same)

http://www.aspheute.com/english/20040105.asp

 

Generate a random (per-user) salt and mix it in before you hash. Store both the salt and the hash in the user table. Use the salt and the users submitted password to generate the hash.

 

This way, even if the attackers get a hold of your hashed password, converting them to plain text will be very difficult, and require a per-user table.

 

If someone grabs your entire db, they'll have the salts and be able to reverse the salting algorithm fairly easy. This should be the least of your worries, though. Passwords are no longer important if they have all the data your passwords are protecting.

[discomatt]

Also, a php-based article:

 

http://phpsec.org/articles/2005/password-hashing.html