Solved

Password Hashing - Server Side Code vs Database

Posted on 2014-03-06
13
487 Views
Last Modified: 2014-03-08
Do you prefer to hash your passwords using server side code like php/asp or use the built in function of the DB like sql server HASHBYTES?
0
Comment
Question by:Scott Fell,  EE MVE
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
  • +3
13 Comments
 
LVL 83

Accepted Solution

by:
Dave Baldwin earned 100 total points
ID: 39911127
I have always used the PHP methods.  Don't even know about the SQL methods.
0
 
LVL 8

Assisted Solution

by:N-W
N-W earned 100 total points
ID: 39911262
Always using server side code.

Using server side code, your security isn't dependent on the database software you are running. The hashing utilities built in to database systems is generally fairly poor in comparison to what can be written in your code.

Separating it from the database software also allows you to use your code with different database software if needed later on.
0
 
LVL 35

Assisted Solution

by:David Todd
David Todd earned 100 total points
ID: 39911625
Hi

Okay for transportability, then do it in the application.

OTOH, you could use SQL and pwdcompare and pwdencrypt, which would allow you to store the hashed passwords in the database quite easily,

http://technet.microsoft.com/en-us/library/dd822792.aspx

BTW this is the same functions etc that the SQL authenticated logins use, so I'm pretty sure that for 90% of the time it is strong enough on a recent version of SQL.

HTH
  David
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 34

Assisted Solution

by:Slick812
Slick812 earned 100 total points
ID: 39911627
I also use server side and not SQL to do password for DB storage, there are now so many hash look-up tables for MD5 and SHA that these are considered to be no obstacle to flip back in a look-up. There are many security sites that suggest the current minimum hash standard is SHA256 with a true "seed" offset, in php I use at least -
$jumbled = hash_hmac('sha256', $Password, $longSeed, true);
and store in a VARBINARY table column.
I use sha384,  sha512 or whirlpool , if available, better safe than sorry.
the hash_hmac() does a true seed distortion, so the normal look-up tables for a hash algorithm will not work.
0
 
LVL 110

Assisted Solution

by:Ray Paseur
Ray Paseur earned 100 total points
ID: 39912210
I use md5().  Despite what lots of people write about it, it's good enough if the passwords are salted correctly (and if your clients are not idiots who choose a password like "password" thereby destroying any chance they have of account security).

Please go to this article and read the part about An Afterword: About Storing Passwords for some of my thoughts and observations.
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_2391-PHP-login-logout-and-easy-access-control.html
0
 
LVL 53

Author Comment

by:Scott Fell, EE MVE
ID: 39912391
Thanks Ray, I have already read your article probably more than a couple of times as well as https://crackstation.net/hashing-security.htm.   I saw in a few threads you mentioned the same thing about md5 and I agree.     The real issue is as you suggest bad passwords.  When I try and set up some parameters to ensure at least 8 characters, use upper and lower case and a special character,  I will get a complaint from client that the password becomes to hard to remember and they just want to enter in their kids name.  I send them a few links about the dangers of easy passwords (no including the@N, @JP saga's https://medium.com/cyber-security/24eb09e026dd).

I have always just set the hash using serverside code and was wondering if there is any advantage to doing this on the DB.   I think it may be best to keep using serverside code for this.   If I wanted to reuse code from one project to the next, I think I could be more consistent and not worry about how sql server vs mysql works.
0
 
LVL 110

Expert Comment

by:Ray Paseur
ID: 39912497
Agree about code reuse vs different SQL engines.  One of the ideas that seems to be getting some traction lately is the idea of a pass-phrase instead of a password.  This may be easier for clients who agonize over the one upper, one lower, one special, one number, etc... rules.  But still, the effect is the same as the hashing effect - adding more characters should make the cracking process take a little longer.  It will do nothing to prevent it forever.
0
 
LVL 53

Author Comment

by:Scott Fell, EE MVE
ID: 39912623
I have not re read this one in a while http://arstechnica.com/security/2012/08/passwords-under-assault/ I seem to recall they talked about pass phrases are a good option.

I think I am going to stick with hashing serverside.
0
 
LVL 110

Expert Comment

by:Ray Paseur
ID: 39912721
0
 
LVL 34

Expert Comment

by:Slick812
ID: 39912875
In any security setup it is better to go with the "more" rather than the "least", using md5 when you can just as easily use sha256, defies any thinking that I can do,. Any one who has had md5 passwords rolled through and exacted , would likely never say what Ray says about using md5 anyway.
A Quote from the "minced-meat" article that Ray Paseur gave -
"the website's unfortunate and irresponsible use of MD5"
0
 
LVL 53

Author Comment

by:Scott Fell, EE MVE
ID: 39912949
I didn't meant for this to be a debate on which algo to use. I am using sha256 any of them are just as easy to use as the next.     In the end, if somebody did break in, they would probably be smart enough to find the code that ultimately has the password.  Plus would be able to see  a bunch of names, addresses, event activity
0
 
LVL 83

Expert Comment

by:Dave Baldwin
ID: 39913111
That's a puzzle to me.  If someone has gotten access to the point where they can even see the MD5 version of the password, your site has already been thoroughly compromised.
0
 
LVL 53

Author Closing Comment

by:Scott Fell, EE MVE
ID: 39915052
Sticking with server side code.  Thanks!
0

Featured Post

Salesforce Has Never Been Easier

Improve and reinforce salesforce training & adoption using WalkMe's digital adoption platform. Start saving on costly employee training by creating fast intuitive Walk-Thrus for Salesforce. Claim your Free Account Now

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ever needed a SQL 2008 Database replicated/mirrored/log shipped on another server but you can't take the downtime inflicted by initial snapshot or disconnect while T-logs are restored or mirror applied? You can use SQL Server Initialize from Backup…
Many old projects have bad code, but the budget doesn't exist to rewrite the codebase. You can update this code to be safer by introducing contemporary input validation, sanitation, and safer database queries.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

724 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question