My guess would be a good hash function + a salt ... + SSL for transmission would pass ...
On Tue, Apr 22, 2008 at 7:10 AM, Peter Ritchie <[EMAIL PROTECTED]> wrote: > SHA1 isn't an encryption, it's a hash. A hash is one-way, you can't > rehydrate the original data from a hash. base64 isn't encryption, it's > encoding- meaning anyone can decode it. > > If you really want to pass the audit, find out from them what hash > algorithm will pass. Maybe SHA-512 will pass? > > > On Tue, 22 Apr 2008 14:12:26 +0000, Paul Cowan <[EMAIL PROTECTED]> wrote: > > >Hi,We have a web application that where the username and password are > stored in the database.The password is stored as SHA1. We have just been > through a security audit which deemed SHA1 to be not the saftest > encryption algorithm.Is there any way we can update the passwords from > SHA1 to base64?We also need to have the transport running over https, how > can we develop against Https without purchasing a certificate? > >Is there a [EMAIL PROTECTED] > > =================================== > This list is hosted by DevelopMentor(R) http://www.develop.com > > View archives and manage your subscription(s) at http://discuss.develop.com > -- Studying for the Turing test =================================== This list is hosted by DevelopMentorĀ® http://www.develop.com View archives and manage your subscription(s) at http://discuss.develop.com
