How to store and verify a password?

Last update on June 16, 2009 07:58 AM by jak58
Published by jak58

How to store and verify a password?








If you develop an application that manages passwords, it is important to do so on pain of risking piracy of your system and compromise your data users.


There is good practice to store a password.

The right way to store


Store the login and hash (login + password + salt)

Pseudo-code: passwordHash = MD5MD5( login + "zo5pro$1pvkhj6*cz4a8ùtvb#ui4oeuio" + password)
Store and passwordHash login. Do not store password.

Why hash?


We should never store the password in clear text.

Risk: If someone breaks into your database of passwords, it can retrieve and use them directly.

Protection: The hash used to calculate a fingerprint of the password. As the algorithm is not reversible, it can not immediately find the password from the hash.
This is why we use a cryptographic hash. Typically MD5, SHA-1 or other (SHA-256, SHA-512 ...)
Never use a CRC or CRC32.

Why using salt?


The rainbow-tables are large tables containing hash (MD5, and others) precomputed.
This allows you to quickly find the password that gave a specific hash.

Risk: If you just use MD5 (password), the rainbow-tables allows to recover the password to MD5 in minutes, even seconds.

Protection: Using a salt, this makes the rainbow-tables completely unnecessary.
The salt is an arbitrary value, the length of your choice. Set it as a constant in your application.

Why add the login?


If you just store MD5 (salt + password) or MD5 (password), this means that two users with the same password will have the same hash.

Risk: You can easily identify the users with the same password. If a user is compromised, it allows immediate access to other users (who may have greater rights).

Protection: By adding the login before hasher, the MD5 result will be different for each user, even if they have the same password.

Verification


When you receive login and password, you simply repeat the same calculation:
Look in your base, for the hash for this login
Compare the hash value (login + salt + password)
If the two hashes are identical, the password entered is correct.
Best answers for « How to store and verify a password? » in :
Administrator and user mode under windows XP Show Administrator and user mode under windows XP The importance of opening a session in user mode Sailing administrator in safety The advanced file sharing with XP Home cannot take place. Administrator account is always set as default...
Manage Cookies Show Manage Cookies For Mozilla: For Opera For Internet Explorer Cleaning the browsing history Remove in each case Cookies are traces of how much time you spent on websites. Some do not store the password and login for a site while...
Download Too Many Secrets Show
Password is requested when using Scheduled Tasks ShowPassword is requested when using Scheduled Tasks Introduction When you want to use the "scheduled tasks" in Windows such as running a program on a certain day or time anda password is requested / required so that the scheduled task is...
How to Password Protect your Files and Folders ShowHow to Password Protect your Files and Folders How to password protect a Word document Password protection on Windows 3.x, Windows 95 and Windows 98 Password protection on Windows XP Password protection on Windows XP Home Edition Password...
How to change or recover your Windows Live Messenger password ShowHow to change or recover your Windows Live Messenger password 1.Changing your password (Windows Live Messenger) 2. Password Recovery Secret question Send password reset instructions to your alternative email address Download MSN Messenger...
Download Password Cracker ShowEach time you must create a count on Websites, he asks you for an identifying or "Login" and for a password. Then when you have a good time giving different names and different passwords for every count, it is rather easy to forget it. Password...
Download HP USB Disk Storage Format Tool ShowHP USB Disk Storage Format Tool is a small utility allowing to format a key USB or READER MP4. It also allows to make a key (Bootable). This software works with all keys and readers MP4 of the market. To make work this utility under Windows...
Download USB Mass Storage Show
NAS (Network Attached Storage) ShowIntroduction to NAS An "NAS" (Network Attached Storage) is a network storage device. An NAS is a storage server that can be easily attached to a company's network in order to serve the file server and provide fault-tolerant storage...
They need your help