How to store user password security

Source: Internet
Author: User
Tags cryptographically secure dot net
First: The basics: Add salt hash (Hashing with salt)

We already know how quickly malicious attackers use query tables and rainbow tables to crack common hash encryption. We have also

It is understood that this problem can be solved by using a random salt hash. But, what kind of salt value do we use, and how will it

Mixed in with the password?

The salt value should use an encrypted secure pseudo-random number generator (cryptographically secure pseudo-random

Number Generator,csprng) is generated. Csprng and ordinary pseudo-random number generators are very different,

The rand () function, such as the "C" language. As the name implies, CSPRNG is designed to be used for cryptographic security, which means it can

A random number that is highly random and completely unpredictable. We don't want the salt value to be predicted, so we have to use CSPRNG.

The following table lists some of the csprng methods for the current mainstream programming platform.

Platform csprng
Php Mcrypt_create_iv, Openssl_random_pseudo_bytes
Java Java.security.SecureRandom
Dot NET (C #, VB) System.Security.Cryptography.RNGCryptoServiceProvider
Ruby SecureRandom
Python Os.urandom
Perl Math::random::secure
C + + (Windows API) CryptGenRandom
Any language on Gnu/linux or Unix Read From/dev/random Or/dev/urandom

Each user's password must use a unique salt value. Each time a user creates an account or changes a password, the password should take a new random salt value.

Never re-use a salt value. This salt value should also be long enough to allow for a sufficient amount of salt to be used for hash encryption. One rule of thumb is that salt

The value must be at least as long as the output of the hash function. The salt should be stored in the user account table along with the password hash.

Steps to store your password:

    1. Use CSPRNG to generate a sufficiently long random salt value.

    2. Mix salt values with passwords and encrypt them using a standard password hash function, such as Argon2, Bcrypt, Scrypt, or PBKDF2.

    3. The salt value is stored in the user database along with the corresponding hash value.

To verify the password:

    1. Retrieves the user's salt value and the corresponding hash value from the database.

    2. The salt value is mixed with the password entered by the user and is encrypted using a generic hash function.

    3. Compares the result of the previous step with the same hash value as the database store. If they are the same, the password is correct; otherwise, the password is incorrect.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.