Re: hashing, best practices?

From: Aristedes Maniatis (ar..sh.com.au)
Date: Thu Aug 07 2008 - 20:26:51 EDT

Next message: Øyvind Harboe: "NUMERIC default scale behaves differently on Derby & SQL Server"

Previous message: Jens Mayer: "Re: Re: SQLTemplate and setPageSize()"
In reply to: Michael Gentry: "Re: hashing, best practices?"
Next in thread: Michael Gentry: "Re: hashing, best practices?"
Reply: Michael Gentry: "Re: hashing, best practices?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 08/08/2008, at 5:00 AM, Michael Gentry wrote:

> public void setPassword(String newPassword)
> {
> super.setPassword(sha1(newPassword));
> }

That's close to what we do too. Some small caveats:

* think carefully about how you implement validation like 'password
length is more than 4 characters' since the hash will always be more
than 4 characters

* salt the password before hashing it (for example with the username
and some other random string) otherwise you make it easy for someone
to change the database value to a known password. That is, the
password 'mypass' should hash to two different results for two
different users.

* make sure you don't getPassword and then setPassword somewhere in
your code otherwise you'll keep rehashing the hashed version.

Cheers

Ari

-------------------------->
ish
http://www.ish.com.au
Level 1, 30 Wilson Street Newtown 2042 Australia
phone +61 2 9550 5001 fax +61 2 9550 4001
GPG fingerprint CBFB 84B4 738D 4E87 5E5C 5EFA EF6A 7D2E 3E49 102A

Next message: Øyvind Harboe: "NUMERIC default scale behaves differently on Derby & SQL Server"
Previous message: Jens Mayer: "Re: Re: SQLTemplate and setPageSize()"
In reply to: Michael Gentry: "Re: hashing, best practices?"
Next in thread: Michael Gentry: "Re: hashing, best practices?"
Reply: Michael Gentry: "Re: hashing, best practices?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2.0.0 : Thu Aug 07 2008 - 20:27:32 EDT