|
|
|
|
|
|
by nononoxd
3828 days ago
|
|
|
Any good tutorial on how to deal with passwords? In a site of mine I generate a salt with UUIDv4 and generate a sha512 of the passsword+salt and store both the salt and hash. When the user authenticates I regenerate the hash and check. This is good, right? I still don't know how to deal with cookies/sessions though. And have no idea how basic http auth works. I'd search myself but I'm afraid to find a "bad" tutorial. |
|
|
The key is speed: it's too fast. Far faster than you need it to be. Fast enough that attackers could attempt very large numbers of passwords per second.
What you want is something slow, to slow down the attackers.
Probably the most popular choice is bcrypt, and you can't go wrong making that decision. In some environments you may need something more standardised / accepted, in which case you want to look at PBDKF2. There's also scrypt, which is a bit stronger than bcrypt, but a bit newer.
_Any of these three are uncontroversial choices._ Using any of them is better than using just about anything else, and the gap between each of them is much smaller than the gulf between those three and schemes such as yours.
Once you've picked one you also need to tune it: make it as slow as you can bear. If your users won't be driven away by login taking a whole second, then make it take a whole second! The key is making it slow.
---
One broader piece of advice: Don't reinvent the wheel when it comes to security things. Passwords, sessions, and so on, you should be looking for well-supported, maintained, high-quality libraries that have been vetted for design and implementation mistakes. There's libraries out there to solve these problems, if you aren't a security expert you should be using them :)