Solved

Password Hashing - Server Side Code vs Database

Posted on 2014-03-06
13
481 Views
Last Modified: 2014-03-08
Do you prefer to hash your passwords using server side code like php/asp or use the built in function of the DB like sql server HASHBYTES?
0
Comment
Question by:Scott Fell,  EE MVE
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
  • +3
13 Comments
 
LVL 83

Accepted Solution

by:
Dave Baldwin earned 100 total points
ID: 39911127
I have always used the PHP methods.  Don't even know about the SQL methods.
0
 
LVL 8

Assisted Solution

by:N-W
N-W earned 100 total points
ID: 39911262
Always using server side code.

Using server side code, your security isn't dependent on the database software you are running. The hashing utilities built in to database systems is generally fairly poor in comparison to what can be written in your code.

Separating it from the database software also allows you to use your code with different database software if needed later on.
0
 
LVL 35

Assisted Solution

by:David Todd
David Todd earned 100 total points
ID: 39911625
Hi

Okay for transportability, then do it in the application.

OTOH, you could use SQL and pwdcompare and pwdencrypt, which would allow you to store the hashed passwords in the database quite easily,

http://technet.microsoft.com/en-us/library/dd822792.aspx

BTW this is the same functions etc that the SQL authenticated logins use, so I'm pretty sure that for 90% of the time it is strong enough on a recent version of SQL.

HTH
  David
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 34

Assisted Solution

by:Slick812
Slick812 earned 100 total points
ID: 39911627
I also use server side and not SQL to do password for DB storage, there are now so many hash look-up tables for MD5 and SHA that these are considered to be no obstacle to flip back in a look-up. There are many security sites that suggest the current minimum hash standard is SHA256 with a true "seed" offset, in php I use at least -
$jumbled = hash_hmac('sha256', $Password, $longSeed, true);
and store in a VARBINARY table column.
I use sha384,  sha512 or whirlpool , if available, better safe than sorry.
the hash_hmac() does a true seed distortion, so the normal look-up tables for a hash algorithm will not work.
0
 
LVL 110

Assisted Solution

by:Ray Paseur
Ray Paseur earned 100 total points
ID: 39912210
I use md5().  Despite what lots of people write about it, it's good enough if the passwords are salted correctly (and if your clients are not idiots who choose a password like "password" thereby destroying any chance they have of account security).

Please go to this article and read the part about An Afterword: About Storing Passwords for some of my thoughts and observations.
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_2391-PHP-login-logout-and-easy-access-control.html
0
 
LVL 52

Author Comment

by:Scott Fell, EE MVE
ID: 39912391
Thanks Ray, I have already read your article probably more than a couple of times as well as https://crackstation.net/hashing-security.htm.   I saw in a few threads you mentioned the same thing about md5 and I agree.     The real issue is as you suggest bad passwords.  When I try and set up some parameters to ensure at least 8 characters, use upper and lower case and a special character,  I will get a complaint from client that the password becomes to hard to remember and they just want to enter in their kids name.  I send them a few links about the dangers of easy passwords (no including the@N, @JP saga's https://medium.com/cyber-security/24eb09e026dd).

I have always just set the hash using serverside code and was wondering if there is any advantage to doing this on the DB.   I think it may be best to keep using serverside code for this.   If I wanted to reuse code from one project to the next, I think I could be more consistent and not worry about how sql server vs mysql works.
0
 
LVL 110

Expert Comment

by:Ray Paseur
ID: 39912497
Agree about code reuse vs different SQL engines.  One of the ideas that seems to be getting some traction lately is the idea of a pass-phrase instead of a password.  This may be easier for clients who agonize over the one upper, one lower, one special, one number, etc... rules.  But still, the effect is the same as the hashing effect - adding more characters should make the cracking process take a little longer.  It will do nothing to prevent it forever.
0
 
LVL 52

Author Comment

by:Scott Fell, EE MVE
ID: 39912623
I have not re read this one in a while http://arstechnica.com/security/2012/08/passwords-under-assault/ I seem to recall they talked about pass phrases are a good option.

I think I am going to stick with hashing serverside.
0
 
LVL 110

Expert Comment

by:Ray Paseur
ID: 39912721
0
 
LVL 34

Expert Comment

by:Slick812
ID: 39912875
In any security setup it is better to go with the "more" rather than the "least", using md5 when you can just as easily use sha256, defies any thinking that I can do,. Any one who has had md5 passwords rolled through and exacted , would likely never say what Ray says about using md5 anyway.
A Quote from the "minced-meat" article that Ray Paseur gave -
"the website's unfortunate and irresponsible use of MD5"
0
 
LVL 52

Author Comment

by:Scott Fell, EE MVE
ID: 39912949
I didn't meant for this to be a debate on which algo to use. I am using sha256 any of them are just as easy to use as the next.     In the end, if somebody did break in, they would probably be smart enough to find the code that ultimately has the password.  Plus would be able to see  a bunch of names, addresses, event activity
0
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 39913111
That's a puzzle to me.  If someone has gotten access to the point where they can even see the MD5 version of the password, your site has already been thoroughly compromised.
0
 
LVL 52

Author Closing Comment

by:Scott Fell, EE MVE
ID: 39915052
Sticking with server side code.  Thanks!
0

Featured Post

On Demand Webinar - Networking for the Cloud Era

This webinar discusses:
-Common barriers companies experience when moving to the cloud
-How SD-WAN changes the way we look at networks
-Best practices customers should employ moving forward with cloud migration
-What happens behind the scenes of SteelConnect’s one-click button

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article discusses four methods for overlaying images in a container on a web page
There are many Password Managers (PM) out there to choose from. PM's can help with your password habits and routines, but they should not be a crutch you rely on too heavily. I also have an article for company/enterprise PM's.
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question