1,105,380 Community Members

Which is More Secured? Iterative Salting or Encryption Methods?

Member Avatar
Bheeman89
Light Poster
36 posts since Nov 2009
Reputation Points: 0 [?]
Q&As Helped to Solve: 0 [?]
Skill Endorsements: 0 [?]
 
0
 

Dear Friends,

I have a question in security programming. As all of us know, when we have a database with passwords or anything sensitive, we would like to encrypt it so it is not readable by other. Now I want to know, which of the method is secured or less secured. Is it Iterative Salting (1000x iterative) or Encryption method such as SHA 256, MD5, and all others. Kindly give me your opinion on this please.

Thank you.

Member Avatar
twiss
Veteran Poster
1,000 posts since Apr 2010
Reputation Points: 155 [?]
Q&As Helped to Solve: 105 [?]
Skill Endorsements: 9 [?]
 
1
 

As far as I understand those things, you have to salt first, and then hash it - and not just md5, but really a lot of them mixed. It's a good idea to use someone else's security script, also.

Member Avatar
Bheeman89
Light Poster
36 posts since Nov 2009
Reputation Points: 0 [?]
Q&As Helped to Solve: 0 [?]
Skill Endorsements: 0 [?]
 
0
 

Yes Mr Twiss... But I want to know if salt and hash alone is as equally secured as encryption alone? Any explaination for that Please?

Member Avatar
Bheeman89
Light Poster
36 posts since Nov 2009
Reputation Points: 0 [?]
Q&As Helped to Solve: 0 [?]
Skill Endorsements: 0 [?]
 
0
 

Im sorry...correction in the post...
Is it Iterative Salting (1000x iterative) or Encryption method such as Blowfish, AES, DES and all others. Kindly give me your opinion on this please.

Member Avatar
twiss
Veteran Poster
1,000 posts since Apr 2010
Reputation Points: 155 [?]
Q&As Helped to Solve: 105 [?]
Skill Endorsements: 9 [?]
 
1
 

You shouldn't encrypt passwords, you should hash them.

Member Avatar
Bheeman89
Light Poster
36 posts since Nov 2009
Reputation Points: 0 [?]
Q&As Helped to Solve: 0 [?]
Skill Endorsements: 0 [?]
 
0
 

How if I want to store the password in a database? What Should I do with the database? Encrypt or Hash? Sorry for asking too many probing questions Mr Twiss.. Thank you for your help though. :)

Member Avatar
twiss
Veteran Poster
1,000 posts since Apr 2010
Reputation Points: 155 [?]
Q&As Helped to Solve: 105 [?]
Skill Endorsements: 9 [?]
 
1
 

OK. What you need to do:

At password creation (registration or change)
- create a random salt (for example f4i, or whatever, it doesn't have to be long)
- insert into the database $salt . sha1($salt . $password) or $salt . sha1($salt . md5($salt . $password)) , whatever you like. It's best to create or use some function that uses as many md5 and sha1's as possible, perhaps 1000 or 5000 (something that takes a second or 2).

At login, retrieve the password from the database, get the first 3 (salt length) characters, calculate the same (above) and check if it matches.

Again, there are scripts available that do this for you and perhaps even more smart thing I can't think of.

Member Avatar
Bheeman89
Light Poster
36 posts since Nov 2009
Reputation Points: 0 [?]
Q&As Helped to Solve: 0 [?]
Skill Endorsements: 0 [?]
 
0
 

Okay i got that Mr twiss... This is about hashing the password and retrieving it... Can I know if we can hash a database which Im going to use to store the user name and password?

Member Avatar
twiss
Veteran Poster
1,000 posts since Apr 2010
Reputation Points: 155 [?]
Q&As Helped to Solve: 105 [?]
Skill Endorsements: 9 [?]
 
0
 

You shouldn't hash the username, only the password, if that's what you're asking.

Member Avatar
Bheeman89
Light Poster
36 posts since Nov 2009
Reputation Points: 0 [?]
Q&As Helped to Solve: 0 [?]
Skill Endorsements: 0 [?]
 
0
 

Ermm yes I am aware that I have to hash only the password... but how to give security to the database which im going to store the password? is hashing the database in whole is possible?

Member Avatar
twiss
Veteran Poster
1,000 posts since Apr 2010
Reputation Points: 155 [?]
Q&As Helped to Solve: 105 [?]
Skill Endorsements: 9 [?]
 
0
 

No, you should protect the database with a password, and make it accessible from localhost only. But if you're on a shared host that's most of the times been done already for you.

Member Avatar
twiss
Veteran Poster
1,000 posts since Apr 2010
Reputation Points: 155 [?]
Q&As Helped to Solve: 105 [?]
Skill Endorsements: 9 [?]
 
0
 

And, if you can, it's best to disable phpmyadmin and the like if your site goes live.

Question Answered as of 1 Year Ago by twiss
You
This question has already been solved: Start a new discussion instead
Post:
Start New Discussion
View similar articles that have also been tagged: