The only change I'd make would be something like this:
&& == Begin pseudoCode ==
lcTempHash = MyHashRoutine( ClientID + UserID + Password + Salt )
FOR nX = 1 TO nMyHashIterations // Something like 30
lcTempHash = MyHashRoutine( lcTempHash + Salt )
ENDFOR
&& == End pseudoCode ==
If someone was to acquire your USER table plus your PASSWORD table, they
would still need to know your nMyHashIterations value to effectively
compromise your system.
If you ever suspect that your database has been compromised, you could
temporarily (in code) allow for both 30 OR 42 iterations for a valid
password; force each user to reset their password and re-secure the
system by generating a new salt for that user, and hashing the password
to 42 iterations and storing that value to the passwords table, deleting
the 30 iterations hashed password. People before X date are allowed in
with 30 iterations for a matched hashed password, forced to create a new
password. People after X date are only allowed in with a 42 iterations
matched hashed password.
On 04/23/2014 04:06 PM, [email protected] wrote:
So we store the password in a DIFFERENT table from the Users table,
and in the Users table we stored the Salt value (set via SYS(2015) to
make it random), which is encrypted with your master encryption key of
course before being stored in that field in the User table. SO...we
then look up the ClientID + UserID in the User table, then grab the
Salt key value, THEN we search the Passwords table for the SALTED and
HASHED key of the 3 part combination: ClientID + UserID + Password.
Thus, when the user changes his password, the new random Salt key
stored in the Users table for his record (cClientID and cUserID
fields) makes sure that his old passwords are invalid. Plus, this
adds to the security by obesity approach Kevin mentioned.
Right?
_______________________________________________
Post Messages to: [email protected]
Subscription Maintenance: http://mail.leafe.com/mailman/listinfo/profox
OT-free version of this list: http://mail.leafe.com/mailman/listinfo/profoxtech
Searchable Archive: http://leafe.com/archives/search/profox
This message:
http://leafe.com/archives/byMID/profox/[email protected]
** All postings, unless explicitly stated otherwise, are the opinions of the
author, and do not constitute legal or medical advice. This statement is added
to the messages for those lawyers who are too stupid to see the obvious.
