Yes, you should consider using a nonce as part of the hash. A nonce is a salt that is specific to the individual hash. A salt is a string that you add to every password before you hash it.
The reason to salt hashes is to prevent the use of rainbow tables. A rainbow table is a pre-generated table of hashes, and the plaintext for all strings up to N characters. If a hacker got access to your DB, and your hashes, and you did not salt them, then the hacker could use a rainbow table to search for the hashes, and get the plaintext for the password. Using a fixed salt for all passwords means that the hacker would have to generate a custom rainbow table. But, because the salt is the same for every hash, once they've generated the rainbow table (which might take a few weeks or so), then can use the same attack. Using a nonce (a salt that is specific to that individual hash) means that the hacker would have to generate a rainbow table for each and every password. Since security is just about making the effort to penetrate greater then the value of the secured contents - this often makes the effort greater then the value. The way to use a nonce is to store both the username, hashed password, and the nonce in plaintext (which is fine, since its not considered to be secure). You then query for the row that matches the username, get the nonce, hash their submitted password with the nonce you just fetched, and compare it to the hashed password stored in the db. Pretty simple. Also, do not use MD5, its not secure enough any more, use at least SHA-1. Edward Smith On Apr 24, 10:12 am, Jason Allen <[email protected]> wrote: > I'm to the point in developing my app that I want to go ahead and code > the functions to hash user passwords. Right now, they are kept in > plain text (site is not live). > > besides just using the basic hashing function, are there any other > tips, and best practices I should consider? > > -- > Open BlueDragon Public Mailing List > http://www.openbluedragon.org/ http://twitter.com/OpenBlueDragon > mailing list -http://groups.google.com/group/openbd?hl=en > > !! save a network - please trim replies before posting !! -- Open BlueDragon Public Mailing List http://www.openbluedragon.org/ http://twitter.com/OpenBlueDragon mailing list - http://groups.google.com/group/openbd?hl=en !! save a network - please trim replies before posting !!
