Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Archived Discussions Archived Development & Programming encrypting passwords
encrypting passwords
  • El Forum
    Guest
  •  
#1
02-28-2009, 01:50 AM

[eluser]bigtimslim[/eluser]
I just read this article on securing passwords and thought it was interesting. It was initially strange to find that fast hashing functions can be a bad thing. Do most of you guys use blowfish with the encyption class for passwords and such?

http://www.matasano.com/log/958/enough-w...d-schemes/
  • El Forum
    Guest
  •  
#2
02-28-2009, 06:02 AM

[eluser]jedd[/eluser]
[quote author="bigtimslim" date="1235829015"]I just read this article on securing passwords and thought it was interesting. It was initially strange to find that fast hashing functions can be a bad thing. Do most of you guys use blowfish with the encyption class for passwords and such?

http://www.matasano.com/log/958/enough-w...d-schemes/[/quote]

A fascinating article indeed.

Security in depth is (one of) the mantras, and he hints about it there with the reference to (paraphrasing) 'without SSL you're blown out of the water anyway'. As soon as you're piping your login (at least) calls over SSL or similar, you've ruled out a whole potential attackvector.

You don't want an inexpensive way of rapidly testing passwords to your system presented to your would-be intruder, and if your public interface is fast and dumb then that's what you're giving them. You can provide the necessary delays in there with simple sleep() style calls, and extend that by implementing functionality similar to what Denyhosts does for your SSH front end. (Loosely, it watches for connections that are obviously attacks, and drops route to the IP address making those attempts. It is unobtrusive, non-antagonistic, inexpensive, and highly effective.)

A lot of the concern stems from a 'what if we lose the table containing our password hashes' scenario, and that's a valid concern given the ease of sql injection attacks (in turn due to the ease of writing very insecure code - but CI helps a lot here). If you're genuinely worried about this vector, you'd look at having your password store in a separate database, on a separate machine, and a very very very robust and simple (read secure, tested, very limited etc) interface to it.

But there are lots of things to talk about with security .. heck you could probably write a book about them all. Wink
  • El Forum
    Guest
  •  
#3
02-28-2009, 02:18 PM

[eluser]darkhouse[/eluser]
[quote author="jedd" date="1235844136"]But there are lots of things to talk about with security .. heck you could probably write a book about them all. Wink[/quote]

And they have. [url="http://www.google.ca/search?q=php+security+site:amazon.com"]http://www.google.ca/search?q=php+security+site:amazon.com[/url]




Theme © iAndrew 2016 - Forum software by © MyBB