Solved

Password Hashing - Server Side Code vs Database

Posted on 2014-03-06
13
468 Views
Last Modified: 2014-03-08
Do you prefer to hash your passwords using server side code like php/asp or use the built in function of the DB like sql server HASHBYTES?
0
Comment
Question by:Scott Fell,  EE MVE
  • 4
  • 3
  • 2
  • +3
13 Comments
 
LVL 82

Accepted Solution

by:
Dave Baldwin earned 100 total points
ID: 39911127
I have always used the PHP methods.  Don't even know about the SQL methods.
0
 
LVL 8

Assisted Solution

by:N-W
N-W earned 100 total points
ID: 39911262
Always using server side code.

Using server side code, your security isn't dependent on the database software you are running. The hashing utilities built in to database systems is generally fairly poor in comparison to what can be written in your code.

Separating it from the database software also allows you to use your code with different database software if needed later on.
0
 
LVL 35

Assisted Solution

by:David Todd
David Todd earned 100 total points
ID: 39911625
Hi

Okay for transportability, then do it in the application.

OTOH, you could use SQL and pwdcompare and pwdencrypt, which would allow you to store the hashed passwords in the database quite easily,

http://technet.microsoft.com/en-us/library/dd822792.aspx

BTW this is the same functions etc that the SQL authenticated logins use, so I'm pretty sure that for 90% of the time it is strong enough on a recent version of SQL.

HTH
  David
0
 
LVL 33

Assisted Solution

by:Slick812
Slick812 earned 100 total points
ID: 39911627
I also use server side and not SQL to do password for DB storage, there are now so many hash look-up tables for MD5 and SHA that these are considered to be no obstacle to flip back in a look-up. There are many security sites that suggest the current minimum hash standard is SHA256 with a true "seed" offset, in php I use at least -
$jumbled = hash_hmac('sha256', $Password, $longSeed, true);
and store in a VARBINARY table column.
I use sha384,  sha512 or whirlpool , if available, better safe than sorry.
the hash_hmac() does a true seed distortion, so the normal look-up tables for a hash algorithm will not work.
0
 
LVL 108

Assisted Solution

by:Ray Paseur
Ray Paseur earned 100 total points
ID: 39912210
I use md5().  Despite what lots of people write about it, it's good enough if the passwords are salted correctly (and if your clients are not idiots who choose a password like "password" thereby destroying any chance they have of account security).

Please go to this article and read the part about An Afterword: About Storing Passwords for some of my thoughts and observations.
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_2391-PHP-login-logout-and-easy-access-control.html
0
 
LVL 52

Author Comment

by:Scott Fell, EE MVE
ID: 39912391
Thanks Ray, I have already read your article probably more than a couple of times as well as https://crackstation.net/hashing-security.htm.   I saw in a few threads you mentioned the same thing about md5 and I agree.     The real issue is as you suggest bad passwords.  When I try and set up some parameters to ensure at least 8 characters, use upper and lower case and a special character,  I will get a complaint from client that the password becomes to hard to remember and they just want to enter in their kids name.  I send them a few links about the dangers of easy passwords (no including the@N, @JP saga's https://medium.com/cyber-security/24eb09e026dd).

I have always just set the hash using serverside code and was wondering if there is any advantage to doing this on the DB.   I think it may be best to keep using serverside code for this.   If I wanted to reuse code from one project to the next, I think I could be more consistent and not worry about how sql server vs mysql works.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 108

Expert Comment

by:Ray Paseur
ID: 39912497
Agree about code reuse vs different SQL engines.  One of the ideas that seems to be getting some traction lately is the idea of a pass-phrase instead of a password.  This may be easier for clients who agonize over the one upper, one lower, one special, one number, etc... rules.  But still, the effect is the same as the hashing effect - adding more characters should make the cracking process take a little longer.  It will do nothing to prevent it forever.
0
 
LVL 52

Author Comment

by:Scott Fell, EE MVE
ID: 39912623
I have not re read this one in a while http://arstechnica.com/security/2012/08/passwords-under-assault/ I seem to recall they talked about pass phrases are a good option.

I think I am going to stick with hashing serverside.
0
 
LVL 108

Expert Comment

by:Ray Paseur
ID: 39912721
0
 
LVL 33

Expert Comment

by:Slick812
ID: 39912875
In any security setup it is better to go with the "more" rather than the "least", using md5 when you can just as easily use sha256, defies any thinking that I can do,. Any one who has had md5 passwords rolled through and exacted , would likely never say what Ray says about using md5 anyway.
A Quote from the "minced-meat" article that Ray Paseur gave -
"the website's unfortunate and irresponsible use of MD5"
0
 
LVL 52

Author Comment

by:Scott Fell, EE MVE
ID: 39912949
I didn't meant for this to be a debate on which algo to use. I am using sha256 any of them are just as easy to use as the next.     In the end, if somebody did break in, they would probably be smart enough to find the code that ultimately has the password.  Plus would be able to see  a bunch of names, addresses, event activity
0
 
LVL 82

Expert Comment

by:Dave Baldwin
ID: 39913111
That's a puzzle to me.  If someone has gotten access to the point where they can even see the MD5 version of the password, your site has already been thoroughly compromised.
0
 
LVL 52

Author Closing Comment

by:Scott Fell, EE MVE
ID: 39915052
Sticking with server side code.  Thanks!
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

As a financial services provider, your business is impacted by two of the strictest federal regulations on record: the Sarbanes-Oxley Act and the Gramm-Leach-Bliley Act. Correctly implementing faxing into your organization to provide secure, real-ti…
Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
Learn how to match and substitute tagged data using PHP regular expressions. Demonstrated on Windows 7, but also applies to other operating systems. Demonstrated technique applies to PHP (all versions) and Firefox, but very similar techniques will w…
The viewer will learn how to dynamically set the form action using jQuery.

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now