Genoa improved security

password storage in database hash

Tags: Security

GHengeveld	#34741 2012-06-22 09:27
Team Thanked: 52 times	Sorry about that, it wasn't necessary to make a comment about that. I really do appreciate your efforts. I was thinking perhaps it's an idea to add a prefix to the hashed password instead of an extra column. The downside is that the password field has to be longer than 32 chars. Alternatively, it may be a good idea to switch from md5 to sha1/sha256, which results in a 40-char hash. Then it's possible to check the passhash string length to determine whether the user's password is already migrated to the new scheme (with salt). E.g. user_salted = (strlen(user_password) == 40)

GHengeveld

#34741 2012-06-22 09:27

Sorry about that, it wasn't necessary to make a comment about that. I really do appreciate your efforts.

I was thinking perhaps it's an idea to add a prefix to the hashed password instead of an extra column. The downside is that the password field has to be longer than 32 chars.

Alternatively, it may be a good idea to switch from md5 to sha1/sha256, which results in a 40-char hash. Then it's possible to check the passhash string length to determine whether the user's password is already migrated to the new scheme (with salt). E.g. user_salted = (strlen(user_password) == 40)