Script Hash

20Aug 2013

Script Hash

by Craig Mayhew on Tue 20th Aug 2013 under Guides/Fixes

Developers have a responsibility to protect their users as much and as often as they can. I would like to live in a world where everyone leaves school with the know-how to protect their passwords with something such as lastpass for each site they use. However we aren't quite there yet.

Let's look at the various levels of hashing and security you can put in place to protect your users.

Level 0: Passwords are stored in plain text on the server file system or in a database. This is just terrible and the worst possible situation. Ideally your website/application will limit login attempts and enforce a minimum password length policy of at least 15 characters.

Level 1: Passwords are stored in a hashed form within the database using MD5 or similar. Slightly better but GPU speed now means passwords up to 9 characters can be found from their hash by brute forcing in less than a day.

Level 2: A password SALT is used. This helps make the passwords much more difficult, if not impossible to compute (depending on SALT length and how many years computers take to reach speeds needed to brute force it). However - anyone with access to the SALT can take this back to level 1 and do you really believe someone can get a copy of your database but not manage to get the SALT too?

Level 3: A password SALT that us unique to each user is used. Same as the above but you have some function that you try to keep secret too. If the function is known, it is still slower to brute force the entire database.

Level 4: You use all of the above and a hashing algorithm like Script. Script is designed to be slower to compute and require much more memory than say MD5 to compute a hash. The high volume of RAM required means you can't run many hashes in parallel on say a GPU.

Level 5: Your code is ready to change to another hashing algorithm (e.g. as users log in) so you can upgrade them in future to even more secure hashes.

Script   hashing   passwords   security  



© 2005-2024 Craig Mayhew