

Casual cryptography for web developers - mqt
http://www.topmost.se/personal/articles/casual-cryptography-for-web-developers.htm

======
themole
"A better idea would be to set a cookie with the hash of the user id + some
secret salt + a timestamp. The secret salt gives us some protection against
said script kiddie, while the timestamp will make the hash expire. Neat!"

From those couple sentences, it really doesn't seem like this person knows
what they're talking about. The hash won't "expire" just because you have a
date in it...and because we're talking about one way hashes there is no
realistic way for you to figure out what date was hashed in there. Maybe they
meant the date on the cookie...still a big error to make in a field with no
room for the tiniest of errors.

Hashing the password in Javascript before sending it over an insecure
connection is pretty sweet (but it's not AJAX, just Javascript).

\----

Yeah, that post over at matasano.com is great. Really an eye opener and got me
thinking about things.

I've being using "stretching" since I read about it on their blog. I basically
have this:

function hash_password($password, $salt) { for(i = 0; i < 50000; i++) {
$password = sha1($password.$salt); } return $password; }

My salts are all randomly generated using letters, numbers and symbols and are
at least 15 characters long. It takes about 1 second to run that on my web
server, so it slows down brute force login attempts. It will also take someone
forever an a day to use a rainbow table against it since they have to match
the hash fifty thousand times. It's not a s secure as something like Blowfish,
but it's leagues better than just a single sha1($password.$salt);

------
corentin
Here's a better overview of password authentication:
[http://www.matasano.com/log/958/enough-with-the-rainbow-
tabl...](http://www.matasano.com/log/958/enough-with-the-rainbow-tables-what-
you-need-to-know-about-secure-password-schemes/)

It explains why using fast hash algorithms such as MD5 or SHA1 is a bad idea
for the purpose of password authentication.

