News Feed
Sections




News Archive
Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Sherif Ramadan:
Password Hashing And Why People Do It Wrong
June 03, 2013 @ 12:18:26

In a recent post to his site Sherif Ramadan looks at the topic of password hashing and why most developers are (still) doing it wrong. He notes that "fixing the people" and their mindset about hashing/salting is much harder than just fixing the code.

Beyond just writing code I also have to solve some very tough problems on a regular basis. Some of which don't stem from code at all, but from the people behind the code. Fixing code is easy for me (computers just do what I tell them to do), but fixing people proves to be a lot more challenging. Unfortunately some people are of the mindset that they aren't wrong simply because they've never been proven wrong before. To some people being proven wrong goes beyond just words. Some of us are a lot more stubborn than others and so explaining something may not be enough. This is called the wisdom of humility.

He points out that even those that immediately think "rainbow tables" when they think about md5 hashing are behind the times. Most processing methods, including the use of a GPU, can be used much more effectively and don't require the overhead of the large tables. He illustrates with a "random" md5 generator that outputs around 916 million variations. With a GPU running 4k million per second, this kind of cracking won't take long. He also talks about salts and how they can help the situation - but not just append it, hash with it.

It's usually the result of several underlying factors that people end up making poor choices about security. Some times it's due to incompetence. Other time it's due to politics. Whatever the reasons are they are never excusable, because there are better alternatives out there and it's not as though they are more difficult or less available than others. So there really are no good reasons [not to do it] here.
0 comments voice your opinion now!
pasword hashing gpu md5 sha1 bruteforce people problem

Link: https://sheriframadan.com/2013/05/password-hashing

blog comments powered by Disqus

Similar Posts

Reddit.com: What everyone should know about strip_tags()

Robert Basic's Blog: Zend Framework full page cache tips

Professional PHP Blog: Two preg_replace Escaping Gotchas

Marcus Bointon's Blog: Compiling wkhtmltopdf on Mac OS X 10.7 Lion

Christopher Kunz's Blog: Warning about the article "SQL Injection" in current "PHP Magazin"


Community Events





Don't see your event here?
Let us know!


configure symfony2 code podcast developer threedevsandamaybe introduction laravel list language unittest series opinion framework install testing release refactor interview community

All content copyright, 2014 PHPDeveloper.org :: info@phpdeveloper.org - Powered by the Solar PHP Framework