Solved

Password Hashing - Server Side Code vs Database

Posted on 2014-03-06
13
477 Views
Last Modified: 2014-03-08
Do you prefer to hash your passwords using server side code like php/asp or use the built in function of the DB like sql server HASHBYTES?
0
Comment
Question by:Scott Fell,  EE MVE
  • 4
  • 3
  • 2
  • +3
13 Comments
 
LVL 83

Accepted Solution

by:
Dave Baldwin earned 100 total points
ID: 39911127
I have always used the PHP methods.  Don't even know about the SQL methods.
0
 
LVL 8

Assisted Solution

by:N-W
N-W earned 100 total points
ID: 39911262
Always using server side code.

Using server side code, your security isn't dependent on the database software you are running. The hashing utilities built in to database systems is generally fairly poor in comparison to what can be written in your code.

Separating it from the database software also allows you to use your code with different database software if needed later on.
0
 
LVL 35

Assisted Solution

by:David Todd
David Todd earned 100 total points
ID: 39911625
Hi

Okay for transportability, then do it in the application.

OTOH, you could use SQL and pwdcompare and pwdencrypt, which would allow you to store the hashed passwords in the database quite easily,

http://technet.microsoft.com/en-us/library/dd822792.aspx

BTW this is the same functions etc that the SQL authenticated logins use, so I'm pretty sure that for 90% of the time it is strong enough on a recent version of SQL.

HTH
  David
0
Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 
LVL 33

Assisted Solution

by:Slick812
Slick812 earned 100 total points
ID: 39911627
I also use server side and not SQL to do password for DB storage, there are now so many hash look-up tables for MD5 and SHA that these are considered to be no obstacle to flip back in a look-up. There are many security sites that suggest the current minimum hash standard is SHA256 with a true "seed" offset, in php I use at least -
$jumbled = hash_hmac('sha256', $Password, $longSeed, true);
and store in a VARBINARY table column.
I use sha384,  sha512 or whirlpool , if available, better safe than sorry.
the hash_hmac() does a true seed distortion, so the normal look-up tables for a hash algorithm will not work.
0
 
LVL 109

Assisted Solution

by:Ray Paseur
Ray Paseur earned 100 total points
ID: 39912210
I use md5().  Despite what lots of people write about it, it's good enough if the passwords are salted correctly (and if your clients are not idiots who choose a password like "password" thereby destroying any chance they have of account security).

Please go to this article and read the part about An Afterword: About Storing Passwords for some of my thoughts and observations.
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_2391-PHP-login-logout-and-easy-access-control.html
0
 
LVL 52

Author Comment

by:Scott Fell, EE MVE
ID: 39912391
Thanks Ray, I have already read your article probably more than a couple of times as well as https://crackstation.net/hashing-security.htm.   I saw in a few threads you mentioned the same thing about md5 and I agree.     The real issue is as you suggest bad passwords.  When I try and set up some parameters to ensure at least 8 characters, use upper and lower case and a special character,  I will get a complaint from client that the password becomes to hard to remember and they just want to enter in their kids name.  I send them a few links about the dangers of easy passwords (no including the@N, @JP saga's https://medium.com/cyber-security/24eb09e026dd).

I have always just set the hash using serverside code and was wondering if there is any advantage to doing this on the DB.   I think it may be best to keep using serverside code for this.   If I wanted to reuse code from one project to the next, I think I could be more consistent and not worry about how sql server vs mysql works.
0
 
LVL 109

Expert Comment

by:Ray Paseur
ID: 39912497
Agree about code reuse vs different SQL engines.  One of the ideas that seems to be getting some traction lately is the idea of a pass-phrase instead of a password.  This may be easier for clients who agonize over the one upper, one lower, one special, one number, etc... rules.  But still, the effect is the same as the hashing effect - adding more characters should make the cracking process take a little longer.  It will do nothing to prevent it forever.
0
 
LVL 52

Author Comment

by:Scott Fell, EE MVE
ID: 39912623
I have not re read this one in a while http://arstechnica.com/security/2012/08/passwords-under-assault/ I seem to recall they talked about pass phrases are a good option.

I think I am going to stick with hashing serverside.
0
 
LVL 109

Expert Comment

by:Ray Paseur
ID: 39912721
0
 
LVL 33

Expert Comment

by:Slick812
ID: 39912875
In any security setup it is better to go with the "more" rather than the "least", using md5 when you can just as easily use sha256, defies any thinking that I can do,. Any one who has had md5 passwords rolled through and exacted , would likely never say what Ray says about using md5 anyway.
A Quote from the "minced-meat" article that Ray Paseur gave -
"the website's unfortunate and irresponsible use of MD5"
0
 
LVL 52

Author Comment

by:Scott Fell, EE MVE
ID: 39912949
I didn't meant for this to be a debate on which algo to use. I am using sha256 any of them are just as easy to use as the next.     In the end, if somebody did break in, they would probably be smart enough to find the code that ultimately has the password.  Plus would be able to see  a bunch of names, addresses, event activity
0
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 39913111
That's a puzzle to me.  If someone has gotten access to the point where they can even see the MD5 version of the password, your site has already been thoroughly compromised.
0
 
LVL 52

Author Closing Comment

by:Scott Fell, EE MVE
ID: 39915052
Sticking with server side code.  Thanks!
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
The viewer will learn how to count occurrences of each item in an array.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

825 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question