Hi everyone,
Is it common sense to encrypt hashed&salted passwords that are stored in a database with a strong encryption (AES 192 or so) or are we just aiming for the stars?
Of course, the encryption key will not be in the database itself, but will be kept at a safe place.
Thanks a lot!
There is no need to encrypt a salted and hashed password.
When the password is salted and hashed with a good algorithm encrypting it will not improve the security.
When you encrypt it you have to manage the key in some way, that will just complicate things.
Use a cryptographic generated salt one for each password, and use a good hashing algorithm.
For more information see this question: http://stackoverflow.com/questions/1054022
I'm not a security expert and I don't know what kind of application you are running or what kind of setup you have. But if I were making a regular ol' web app, I would just go with salted hash.
You're going to store the key (or public key if you're using asymmetric key encryption as you could encrypt the hash of password user provides and compare that to the value from the database) on the application server anyway.
If you're mainly worried about someone breaking into your database server, is it any harder to break into the application server?
If someone tries a dictionary attack through the app server, it's going to take the same number of tries either way. You'll just need to detect and block that.
The only situation in which encrypting the salted hashes is useful is if attackers can get their hands on the encrypted values but not the key. I guess it's up to you to decide if that's what you want for your system.
Passwords should always be hashed and not encrypted unless you really need password retrieval. Password retrieval is itself not usually considered good practice.