On 2014-04-23 12:11, Kevin Cully wrote:
Yes, any of my suggestions might be overkill for any particular
situation. I'll trust you to choose the points that you would like to
implement.
I suggest storing the passwords in a separate table because of the
"Security By Obesity" concept. By storing the values in another
table, this opens up the possibility of storing that table in another
database, perhaps on another server.
On another note, do not use MD5. Use a stronger, slower hashing
mechanism. MD5 is no longer considered a secure hashing mechanism,
partly because it is fast. SCrypt or BCrypt or PBKDF2 are slower, and
help prevent brute force attacks on your system.
From that link Ed provided:
1. MD5, SHA-1, SHA-256, SHA-512, et al, are not "password hashes." By
all means use them for message authentication and integrity checking,
but not for password authentication.
Well, that pretty much guts what I was trying to do...to use Craig
Boyd's VFPEncryption.FLL HASH function. BUT, in looking over the
documentation
(http://www.sweetpotatosoftware.com/spsblog/2009/08/09/MajorVFPEncryptionUpdate.aspx) moreso, perhaps I could use the ENCRYPT function to get the Blowfish encryption type (from which bcrypt is a modified version of it, according to that link Ed gave), then HASH that to get the string to store (with salting at both ENCRYPT and HASH points, of course). What do you think?
_______________________________________________
Post Messages to: [email protected]
Subscription Maintenance: http://mail.leafe.com/mailman/listinfo/profox
OT-free version of this list: http://mail.leafe.com/mailman/listinfo/profoxtech
Searchable Archive: http://leafe.com/archives/search/profox
This message:
http://leafe.com/archives/byMID/profox/[email protected]
** All postings, unless explicitly stated otherwise, are the opinions of the
author, and do not constitute legal or medical advice. This statement is added
to the messages for those lawyers who are too stupid to see the obvious.
