Hash + salt is better than hash without salt. Paul: SSL is orthogonal though, it wasn't clear from your post that SSL was another failure point or not (I hope it was); but SSL doesn't make a hash stronger or weaker. i.e. the raw entered password (from a login) should be transmitted over SSL to the server, which would then generate a hash from it and compare it with the stored hash for that user. This means no one can sniff the password over the wire and if the data on the server is compromised the password would not be made available (only the hash).
On Tue, 22 Apr 2008 08:42:15 -0700, Greg Young <[EMAIL PROTECTED]> wrote: >My guess would be a good hash function + a salt ... + SSL for >transmission would pass ... > >On Tue, Apr 22, 2008 at 7:10 AM, Peter Ritchie ><[EMAIL PROTECTED]> wrote: >> SHA1 isn't an encryption, it's a hash. A hash is one-way, you can't >> rehydrate the original data from a hash. base64 isn't encryption, it's >> encoding- meaning anyone can decode it. >> >> If you really want to pass the audit, find out from them what hash >> algorithm will pass. Maybe SHA-512 will pass? >> >> >> On Tue, 22 Apr 2008 14:12:26 +0000, Paul Cowan <[EMAIL PROTECTED]> wrote: >> >> >Hi,We have a web application that where the username and password are >> stored in the database.The password is stored as SHA1. We have just been >> through a security audit which deemed SHA1 to be not the saftest >> encryption algorithm.Is there any way we can update the passwords from >> SHA1 to base64?We also need to have the transport running over https, how >> can we develop against Https without purchasing a certificate? >> >Is there a [EMAIL PROTECTED] =================================== This list is hosted by DevelopMentorĀ® http://www.develop.com View archives and manage your subscription(s) at http://discuss.develop.com
