0

Hi All,

I tried reading through this: https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet . But I'd like to know if the following scenario is considered good practice for a simple login/registration system.

The userlist table:

create table simp 
(
    USR VARCHAR (128),
    PWD varchar (512),
    SALT VARCHAR(512)
)

I created a stored procedure to execute for inserting new data into userlist table instead of direct insert queries.

CREATE PROCEDURE INSERTUSER
    -- Add the parameters for the stored procedure here
    @usr varchar(512),
    @pwd varchar(512)
AS
BEGIN
    -- SET NOCOUNT ON added to prevent extra result sets from
    -- interfering with SELECT statements.
    SET NOCOUNT ON;

    --Create salt for appending to password. Hashing the getdate() value to make it unique per user creation.                               
    DECLARE @SALT VARCHAR(512) = upper(sys.fn_varbintohexsubstring(0, HASHBYTES('SHA2_512', CONVERT(VARCHAR, getdate())),1,0))

    --Insert the username, (password + salt), salt.
    INSERT INTO SIMP (USR, PWD, SALT) VALUES (@USR, @PWD + @SALT, @SALT);

    RETURN 1;
END
GO

In PHP, I'd execute a query like (I will clean this up to use sqlsrv_prepare and use parameters, but for simplicity):
"select PWD, SALT from simp where usr = '$_POST['usr']'";

And with the return values in the login PHP page, do something like:
if(strtoupper(hash('SHA512','asdfd') . $obj->SALT) === $obj->PWD)

2
Contributors
4
Replies
26
Views
1 Year
Discussion Span
Last Post by RudyM
0

The line I included: if(strtoupper(hash('SHA512','asdfd') . $obj->SALT) === $obj->PWD) should really read: if(strtoupper(hash('SHA512',$_POST['pwd']) . $obj->SALT) === $obj->PWD)

0

@diafol, thanks. I'll be checking this out and testing before marking this as solved. Thanks again.

0

So I ended up storing the hash value from password_hash() in my db table. Then I query for the password hash by executing a stored procedure that will return the hash value from the table, and compare this to the input password using password_verify(). It works. Good practice?

I'll mark this as solved.

Edited by RudyM: asdf

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.