views:

122

answers:

4

Hi
I am programming a new site in JSF. At the moment i program the Login.
I used md5 some years ago, but with Rainbow Tables i think its noch safe anymore.
So, how should i store the Password in the Database ?

A: 

I suggest hashing with sha512 and salting. (Store a random value for everyone and hash the password and that value together.)

stribika
+8  A: 

Here is excellent, detailed guide: http://www.matasano.com/log/958/enough-with-the-rainbow-tables-what-you-need-to-know-about-secure-password-schemes/

niteria
Absolutely, amen. Very important advice in that one; specifically dealing with salting and nonces, using a slow hash, and the most critical advice of all...reusing an existing implementation.
Rob
wish I could upvote more than once...
rmeador
Thank you I did not know about the SRP thing.
stribika
+2  A: 

The first thing you want to do is look for a pre-built system from your vendor. You want to push as much as this as possible to someone who writes security code for a living, because it's very easy to get wrong in subtle ways that you don't even know about until it's too late. This way you'll also be able to get service updates from them and so you just don't have to think about it anymore.

Beyond that, remember to generate a per-account salt to go with your password, and use a secure hashing algorithm (md5 is meant for speed, not necessarily security). SHA1 is pretty common, though it's starting to get old, too.

Joel Coehoorn
A: 

If you look up PKCS#5 (or better, find a reputable implementation that already does it), you'll find a pretty good mechanism.

Basically, you pick a number (say 500), a password, a hash algorithm, and a salt (random data added to the end of the password to make it less guessable).

  1. Take the password, salt it, and hash it.
  2. Take the result, salt that (Same salt) and has that.
  3. Repeat step 2 N times (in this example, N is 500).
  4. Store the final hashed, salted result, along with N and the salt itself in your password database.