1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2013
    Rep Power

    Smile Comment's on security

    iam going to decide to SHA_512 with salt in my web project.
    ut iam still in confiusion that there is some problem in it..
    the hashing algorithm just hash the data before saving it in to the database something like ( 45454dsdsd54d4sd ).
    how can the admin know about the user password?
    how can he access to his personal data/profile?

    if there is anothr way to secure the user input data in web please tell me...
  2. #2
  3. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Rep Power

    do not use SHA-512. Do not use any home-made password scheme at all. I have no idea why PHP people love playing cryptographer so much (and failing again and again).

    Instead, use an established and well-tested algorithm like bcrypt, which has actually proven itself to work. If you have an up-to-date PHP version, there's the password_compat library. If you're running with some old version, there's PHPass.

    Writing a secure hash algorithm is an expert topic, so leave it to the people who actually know how to do it. SHA-512 with a salt is not secure. It doesn't suck as much as, say, plain MD5 hashes, but it's not even remotely suitable for protecting passwords against brute force attacks with current hardware.

    Admins cannot retrieve the password. That's the whole point of password hashing. If they can, your system is badly broken. How admins can get access to a user account completely depends on the application.
    Last edited by Jacques1; May 4th, 2013 at 02:10 PM.
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".

IMN logo majestic logo threadwatch logo seochat tools logo