Good morning,
I question whether it is a good idea any longer to make your password
checking so simple. A GPU setup with your hash records would take all of about
2 hours to crack 2000 accounts using just a sha 256. That was 5 years ago. Now
look at how fast the GPUs are.
Instead current best practices is to use PBK-DF2 on 10K cycles or
higher with a unique site salt and a individual unique salt. Or use BCRYPT in
place of the PBK-DF2. Again with uniques salts. Otherwise you are one hack or
accidental release away from having a major breach of your systems password
protections.
While somebody may not directly attack your DB for the data stored in
it. They may attack it to steal the hashes to get the weakly encrypted
passwords. The reason being that few people practice good personal security
practices and use the same password in multiple places. Hence the hash in your
DB could be used to get a hacker into one of your users bank accounts. By
following best practices in password hashing and password protection at least
your system will not be the weak link that exposes your users passwords to the
world. If your not a crypto specialist please do not try code this yourself.
Look into proper best practices, follow them and use them.
-----------------------------------------------------------------------
MacCafe
4405 Talmadge St.
Toledo, OH 43623
Eric Naujock - ACSA 10.2, 10.3, 10.4 Apple - ACTC 10.5, 10.6, 10.7, 10.8,
10.9, 10.10
http://www.mac-cafe.com
email: e <mailto:[email protected]>[email protected] <mailto:[email protected]>
AOL IM: erlic
> On Nov 3, 2016, at 5:34 PM, JasonH <[email protected]> wrote:
>
> I've got this working, but it returns a blob with 32 "octets". Looks just
> like an array. Probably dumb question, but how do I turn this into a text
> variable? I tried Blob to Text and Blob to Variable with no luck.
>
> I'm using this to store passwords. So I take the entered password, compute
> the SHA256, and compare to the saved SHA256 to see if it's a match.
>
> Thanks!
> Jason
>
>
>
>
> --
> View this message in context:
> http://4d.1045681.n5.nabble.com/Generate-Digest-SHA2-tp5748365p5748373.html
> Sent from the 4D Tech mailing list archive at Nabble.com.
> **********************************************************************
> 4D Internet Users Group (4D iNUG)
> FAQ: http://lists.4d.com/faqnug.html
> Archive: http://lists.4d.com/archives.html
> Options: http://lists.4d.com/mailman/options/4d_tech
> Unsub: mailto:[email protected]
> **********************************************************************
**********************************************************************
4D Internet Users Group (4D iNUG)
FAQ: http://lists.4d.com/faqnug.html
Archive: http://lists.4d.com/archives.html
Options: http://lists.4d.com/mailman/options/4d_tech
Unsub: mailto:[email protected]
**********************************************************************
