On 2014-04-23 16:36, Kevin Cully wrote:
The only change I'd make would be something like this:
&& == Begin pseudoCode ==
lcTempHash = MyHashRoutine( ClientID + UserID + Password + Salt )
FOR nX = 1 TO nMyHashIterations // Something like 30
lcTempHash = MyHashRoutine( lcTempHash + Salt )
ENDFOR
&& == End pseudoCode ==
Minor comment: you'd want to look to go to nMyHashIterations - 1 since
you do the 1st one before the FOR loop.
If someone was to acquire your USER table plus your PASSWORD table,
they would still need to know your nMyHashIterations value to
effectively compromise your system.
Would you encrypt the nMyHashIterations value stored in the Passwords
table? Otherwise, using your scenario, the thief would see the # of
iterations you've used. This is where you'd just store the
MyEncryptRoutine(nMyHashIterations) value to that Passwords.nIterations
field, if I'm following you correctly.
If you ever suspect that your database has been compromised, you could
temporarily (in code) allow for both 30 OR 42 iterations for a valid
password; force each user to reset their password and re-secure the
system by generating a new salt for that user, and hashing the
password to 42 iterations and storing that value to the passwords
table, deleting the 30 iterations hashed password. People before X
date are allowed in with 30 iterations for a matched hashed password,
forced to create a new password. People after X date are only allowed
in with a 42 iterations matched hashed password.
I do have a tstamp field that's a timestamp value showing me when the
record was added; that could come in handy for such theory as you state
above. Did you pick 30 and 42 randomly, or was there something specific
about those values?
Thanks,
--Mike
_______________________________________________
Post Messages to: [email protected]
Subscription Maintenance: http://mail.leafe.com/mailman/listinfo/profox
OT-free version of this list: http://mail.leafe.com/mailman/listinfo/profoxtech
Searchable Archive: http://leafe.com/archives/search/profox
This message:
http://leafe.com/archives/byMID/profox/[email protected]
** All postings, unless explicitly stated otherwise, are the opinions of the
author, and do not constitute legal or medical advice. This statement is added
to the messages for those lawyers who are too stupid to see the obvious.
