0

I want to hash password before storing to database. I am not able to understand which approach will be suitable.For examples

Hash plain password directly with SHA-1, SHA-256 etc and then store in DB. Encrypt password firsts using AES-256 and then hash it using SHA-1, SHA-256 etc and store in DB.

Please help me which approach will be suitable and how I can validate the password when client logins.

0xcrypto
  • 107
  • 5
user2724058
  • 11
  • 1
  • I Just want to know does encryption needed before hashing or not, and the link mentioned does not cover this answer.. – user2724058 Sep 14 '15 at 10:49
  • No, it is not needed and doesn't add any benefit (that's why it is not mentioned ;) ). However be sure to select the right hash function, since SHA* functions are not suited to securely hash a password: *this* would improve your hashes security :) ! – WhiteWinterWolf Sep 14 '15 at 10:53
  • you mean data will travel on network in form of Hashe instead of encryption? – user2724058 Sep 14 '15 at 10:54
  • 1
    "Password sending" is a different issue than "Password storing", if you would like to encrypt the password before sending it you would then to think how to send the encryption key => dead-end (chicken and egg issue). Recommended way: use TLS to secure the communication, the password could then be sent securely through this mean. If for some reason you cannot use TLS, at least generate a hash on client side (which might then need to be re-hashed on server-side before being stored in the database), this will ensure that the password does not circulate in clear form over the network. – WhiteWinterWolf Sep 14 '15 at 10:59
  • I cannot use TLS, I have client and server both desktop communicating with each other over socket(TCP/IP) not HTTP based. In my scenario, I can use ECDH key exchange using openSSL library and then I can hash the password and also encrypt it with shared secret(session key)before sending on socket and on server side, I can decrypt it and then store hash in the database.? – user2724058 Sep 14 '15 at 11:10
  • @WhiteWinterWolf: But the hashed password will circulate in clear form over the network. And since it's the only thing you need to authenticate, you're back to square one. – Volker Sep 14 '15 at 11:17
  • Over the network you mean from my server app to Database server? – user2724058 Sep 14 '15 at 11:37
  • @user2724058: TLS is not restricted to HTTP, it goes between your application and the TCP transport layer. If you can use OpenSSL library, then you can use TLS and I strongly encourage you to check how to establish a proper TLS connection using this library since it will be the safest and easiest way to unload you of all the network security and remote authentication tasks. Other ways will most likely [be flawed either ways](http://security.stackexchange.com/questions/2202/lessons-learned-and-misconceptions-regarding-encryption-and-cryptology/2210#2210). – WhiteWinterWolf Sep 14 '15 at 13:28
  • I have written scalable(IOCP) socket between my server and client app. You are suggesting to replace this with OpenSSL? or you are suggesting to use existing socket model and use openSSL TLS feature? – user2724058 Sep 15 '15 at 09:20

0 Answers0