Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Best practice for storing usernames & password in MySQL Databases [duplicate]

Possible Duplicate:
Secure hash and salt for PHP passwords

I am making a system that has stores user credentials (email, username and password) in a MySQL database and have seen conflicting views on using encryption, salting and encryption types.

What are the best methods you would recommend? Encoding in MD5 or SHA1? Salting or not salting? Encrypting just the password or all 3 elements?

like image 648
Phil Young Avatar asked May 01 '12 11:05

Phil Young


2 Answers

For the password hash use PBKDF2 it's NIST approved. You should use a random non-secret salt for each password and nontrivial (over 1000) iteration count.

For the username and email, probably not worth encrypting.

like image 114
jbtule Avatar answered Nov 02 '22 19:11

jbtule


The best practices IMO are:

  • Use a hashing algorithm such as SHA256 or SHA512. MD5 is insecure now as you can reverse the hash/perform a rainbow attack.

  • Use a strong salt to ensure an attacker cannot guess commonly hashed passwords if they ever gained entry to your database.

  • Do not use encryption.

  • Only hash the passwords, usernames and e-mails are fine as plain text.

like image 33
Darren Avatar answered Nov 02 '22 19:11

Darren