php - Is my Bcrypt encryption safe enough? -

-

i working on project needs advanced security system when comes saving passwords etc. question is, way save passwords safe enough?

this way programmed:

  1. when user registers, salt created out of following details:
    • an unique user id (primary key in mysql)
    • the users emailaddress
    • the current (micro)timestamp
    • some random key defined in configuration of website
  2. this salt being hashed sha512 key.
  3. after salt has been created, following string being hashed using bcrypt: password + sha512 salt (worklevel 10, ($2a$10...)).
  4. then skip first 5 characters of bcrypt output ($2a$10) , save remaining string database.

when user tries log in, first check if username exists. if does, check if password correct using check() function.

i use this bcrypt class encrypt , check.

can guys tell me if way of encrypting , verifying enough big project?

regards,

jan willem

  1. there's absolutely no point in deriving salt particular input. in fact, can serve weaken it. salt derived value has relation value hashed not salt, it's altered hashing algorithm. salts entirely (pseudo) random noise, period. point make input unique; , unique value random noise.
  2. if derive salt pseudo random number generator, there's no need hash it. can serve reduce entropy.

  3. you should store entire result in database (including $2a$10). if you're doing properly, hash virtually impossible brute force is. omitting piece of information makes your job more difficult, doesn't make meaningfully more difficult potential attacker.

    storing value lets see algorithm hash created , upgrade it on time. hardware becomes faster should increase work factor of algorithm , better algorithms become available (hello scrypt!) should upgrade algorithm used. way works check whether hash created using latest , greatest when user logs in. @ point opportunity rehash cleartext password , upgrade it.

use php's new password_hash api or password_compat shim older versions, tested , "advanced".


Comments

Post a Comment

Popular posts from this blog

java - Run a .jar on Heroku -

-
i trying run .jar file on heroku, , can't find instructions anywhere on how this. have read wants me compile uploading heroku. possible, , if is, how this? if helps, trying run minecraft craftbukkit server, , don't have pom.xml file yet. you didn't provide details i'll try give , people reaches question way it. first of all, create heroku account , create heroku application (assumed have done that). second, need generate application jar , upload heroku. so, open terminal , install heroku cli (assuming unix terminal): $ sudo npm install -g heroku-cli you need have npm , nodejs installed, can check link: https://www.digitalocean.com/community/tutorials/how-to-install-node-js-on-ubuntu-16-04 once done that, can use npm update node version acceptable heroku-cli: $ sudo npm install -g n $ sudo n 7.10.0 and run: $ sudo npm install -g heroku-cli in order deploy jars, need install deploy plugin: $ sudo heroku plugins:install heroku-cli-deploy ...
Read more

java - Jtable duplicate Rows -

-
Image
when add new rows in jtable duplicate rows many times this method update jtable public final void tableaucomande(){ ((defaulttablemodel)tabcommande.getmodel()).getdatavector().clear(); session s=hibernateutil.getsessionfactory().opensession(); criteria cr1= s.createcriteria(commande.class); list <commande> lcs=cr1.list() ; criteria cr2= s.createcriteria(lignecommande.class); list <lignecommande> lck=cr2.list() ; if(lcs.size()!=0 && lck.size()!=0) { (commande lc:lcs) { for(lignecommande lig:lck){ ((defaulttablemodel)tabcommande.getmodel()).addrow(new object[]{ lc.getid_cmd(),lc.getnumcmd(),lc.getdate_cmd(),lc.getclient().getnomprenom(), lig.getproduit().getlib_prd(),lig.getquantite(),lig.getproduit().getid_prd() }); } } // tabcommande.setrowselectioninterval(tabcommande.getrowcount()-1,tabcommande.getrowcount()-1); } } this code add add data rows displaye...
Read more

validation - How to pass paramaters like unix into windows batch file -

-
i need pass various parameters .cmd file unix format file.cmd -configuration=value -source=value -flag but, try this: startlocal @echo off cls setlocal set cmdline=%* set configuration= set source= set badargs= set validation= goto main :splitargs echo splitargs(%*) if "%*" neq "" ( /f "tokens=1,2,* delims== " %%i in ("%*") call :assignkeyvalue %%i %%j & call :splitargs %%k ) goto :eof :assignkeyvalue echo assignkeyvalue(%1, %2) if /i %1==-configuration ( set configuration=%2 ) else if /i %1==-source ( set source=%2 ) else ( rem append unrecognised [key,value] badargs echo unknown key %1 set badargs=%badargs%[%1, %2] ) goto :eof :validate echo validating set validation=fail if defined configuration ( echo -configuration ok if defined source ( echo -source ok if not defined badargs ( set validation=success ) ) ) goto :eof :main cl...
Read more