Storing Passwords in Databases

RobMunfy

RobMunfy

RobMunfy

Associate
Joined
18 Mar 2007
Posts
291
Hi,

I just wanted to check that I am going about this in a reasonably secure way.

I wish to store some usernames and passwords in a MySQL database.

My plan is to get the password from a form, create a SHA-1 hash of the password and then store this hash in the table.

Is this the normal way of doing things?

Cheers
 
If you're a good small developer yes. You may want to salt your passwords as well as encrypting them before storing.

If you are a large corporate enterprise with millions to spend on security then you'll probably rather store them in a text file, unencrypted, unsalted.
 
gord said:
If you're a good small developer yes. You may want to salt your passwords as well as encrypting them before storing.

If you are a large corporate enterprise with millions to spend on security then you'll probably rather store them in a text file, unencrypted, unsalted.
Click to expand...

Haha very true!

I am the former I hope!

Thanks for the clarification
 
gord said:
If you're a good small developer yes. You may want to salt your passwords as well as encrypting them before storing.

If you are a large corporate enterprise with millions to spend on security then you'll probably rather store them in a text file, unencrypted, unsalted.
Click to expand...

I have noticed this. Why is this the case?
 
Unless you need to hash quickly then i'd personally opt for SHA-256 over SHA-1. bcrypt or SHA512 are two more options but they are a fair amount slower. And yes, SALT the passwords before hashing (usually i use a fixed salt and a random salt that is stored in the DB).
 
UK-AL05 said:
I have noticed this. Why is this the case?
Click to expand...

Depends how cynical you want to get. In the big corporate environment where employees feel like insignificant parts of a giant machine and do anything to earn their bonus by meeting targets set by managers who don't understand the principles of what their staff are creating, leading to corner cutting and a general lack of motivation to dot the i's and cross the t's...
 
Ignoring the cynicism in this thread, yeah encrypt them with a good one way algorithm - but make sure to pick a salt. Unsalted hash functions are subject trivial attacks.
 
You must log in or register to reply here.
Back
Top Bottom