Best way to encrypt/prepare passwords for insertion into a database

Question

Possible Duplicate:
Secure hash and salt for PHP passwords

What is the best way to prepare a password for insertion into a database, i am aware of md5, but i was wondering if there where some more features/encryptions i could do to it.

Thanks!

I normally use sha1 but passwords are unretrievable at that point. — kwelch, Jan 12 '12 at 20:00
Recommend you take a look at: http://programmers.stackexchange.com/questions/46716/what-should-every-programmer-know-about-web-development — Charles Sprayberry, Jan 12 '12 at 20:02

score 1 · Answer 1 · answered Jan 12 '12 at 19:59

A standard practice is to salt the password before encryption.

In cryptography, a salt consists of random bits, creating one of the inputs to a one-way function. The other input is usually a password or passphrase. The output of the one-way function can be stored rather than the password, and still be used for authenticating users. The one-way function typically uses a cryptographic hash function. A salt can also be combined with a password by a key derivation function such as PBKDF2 to generate a key for use with a cipher or other cryptographic algorithm. In a typical usage for password authentication, the salt is stored along with the output of the one-way function, sometimes along with the number of iterations to be used in generating the output (for key stretching). Early Unix systems used a 12-bit salt, but modern implementations use larger lengths from 48 to 128 bits. Salt is closely related to the concept of nonce. The benefit provided by using a salted password is making a lookup table assisted dictionary attack against the stored values impractical, provided the salt is large enough. That is, an attacker would not be able to create a precomputed lookup table (i.e. a rainbow table) of hashed values (password + salt), because it would take too much space. A simple dictionary attack is still very possible, although much slower since it cannot be precomputed.

score 1 · Accepted Answer · edited May 23 '17 at 11:55

1

You really don't want to encrypt passwords, but rather a hash of the password which you just 'match' against.

Storing passwords is very insecure and encryption can be broken, a one way hash cannot*

References on SO:

**yet, that I know of*

edited May 23 '17 at 11:55

Community

1
1

answered Jan 12 '12 at 19:59

Jakub

20,418
8
65
92

Unless the use of rainbow tables (and that's why the password are salted). – Aurelio De Rosa Jan 12 '12 at 20:00

score 0 · Answer 3 · answered Jan 12 '12 at 20:00

0

I usually use sha1() to encrypt my passwords

answered Jan 12 '12 at 20:00

Adam

1,684
14
18

SHA-1 does not encrypt. It hashes. There's a huge difference... – sarnold Jan 15 '12 at 02:16

Best way to encrypt/prepare passwords for insertion into a database

3 Answers3