Genoa improved security

password storage in database hash

Tags: Security

GHengeveld	#34748 2012-06-23 07:19
Team Thanked: 52 times	Trust wasn't being serious. Of course the db shouldn't be hacked in the first place, but we've seen in the past that there is always a risk of SQL injection, especially in extensions. I think you're really on the right path to make this thing more secure. I like your idea about changing salts. I haven't looked at your new code yet but I suggest using the user ID and secret key hashed together as salt. Whatever you do, some part of the salt must be stored in a file rather than the db.

GHengeveld

#34748 2012-06-23 07:19

Trust wasn't being serious. Of course the db shouldn't be hacked in the first place, but we've seen in the past that there is always a risk of SQL injection, especially in extensions. I think you're really on the right path to make this thing more secure. I like your idea about changing salts. I haven't looked at your new code yet but I suggest using the user ID and secret key hashed together as salt. Whatever you do, some part of the salt must be stored in a file rather than the db.