Storing passwords

From: David Wheeler (dwheelerat_private)
Date: Fri Aug 23 2002 - 06:23:57 PDT

Next message: Jeff Williams: "Re: Encryption approach to secure web applications"

Previous message: Mario Torre: "Re: Encryption approach to secure web applications"
Next in thread: David Wheeler: "Re: Storing passwords"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The standard way to store passwords is... not to
store passwords.  Instead, store a salted hash of
the password in a database.  When you get a purported
password, you re-salt it, compute the hash, and
determine if they are the same.  This is how
Unix has done it for years.  You want bigger hashes
and salts than the old Unix systems, and you still want
to prevent reading from those files (to foil password crackers).
More info is in my book at:
   http://www.dwheeler.com/secure-programs



--- David A. Wheeler
     dwheelerat_private

Next message: Jeff Williams: "Re: Encryption approach to secure web applications"
Previous message: Mario Torre: "Re: Encryption approach to secure web applications"
Next in thread: David Wheeler: "Re: Storing passwords"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Aug 23 2002 - 09:49:03 PDT