3

I'm trying to secure a website that is being moved to a public server soon. I've just finished adding the password hashing functions to all of my login scripts. I'm using FormsAuthentication.HashPasswordForStoringInConfigFile(pw, method) to do so. I have a question about the process I'm using and whether or not it's secure for a web server:

  1. Password is sent in plain text over HTTPS to the server
  2. The server looks in the Users table to find the user's Salt (several random characters) and their hashed and salted stored password
  3. The plain text password is appended with the Salt
  4. The new string is hashed using the above function
  5. The newly hashed version is compared to the stored version
  6. If equal, login is allowed
  7. If not equal, the login attempt is logged in Session variables, up to 3 times before locking out the user's machine from accessing the login page until an admin verifies IP address and unlocks.

Does this look about right? I just don't see how the salt is effective in this method... Anyway, all I've done is add a salt and hash. Is this considered Encryption? Or am I missing a step? I remember reading that hashing algorithms like SHA1 and MD5 are not encyption algorithms, so what else needs to be done?

Improve this question
2
  • passwords should never be encrypted, they must always be hashed. Commented Mar 30, 2011 at 18:59
  • Thanks, it's funny you say that. I had been calling this method "encryption" when it was actually just hashing. I'm still new to this stuff, so I didn't know there was a huge difference. Just changed the question title to "hashing" from "encryption" Commented Apr 1, 2011 at 19:34

2 Answers 2

Reset to default
3

That is correct. The salt is used to prevent rainbow table attacks where a dictionary of common works hashed with MD5 is used to try to gain entry. Using the salt ensures that even if they had an MD5 hash of the word, it wouldn't work because they don't know the salt.

The MD5 algorithm is a 1 way hash algorithm, and not an encryption value. The difference is, once you've hashed the value, there is no way to get back to the original value. Encryption allows you to decrypt the data and get back the original value. So you are correct, they are not the same, and your passwords are not encrypted, they are hashed. This means that if someone forgets their password, you cannot send it to them. You have to provide a way for them to reset their password instead. This also means that anyone with access to the database would not have access to raw passwords. Which is good because a lot of people use the same password everywhere, and if you had access to a large list of usernames and passwords, someone could decide to start trying to log into bank / credit card websites.

What you are doing is a recommended practice.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Ok, that's good. We actually have a password reset form instead of sending the password. So what about MD5? I've read that it's not secure these days, but I'm not sure what my options are on that hashing function. As far as I know there's only MD5 and SHA1. Is there more? Or am I safe using it for a site storing non-sensitive personal information such as email, phone, and address (no credentials or financial information)
@Dexter it's not that MD5 is not secure, its that there are tables readily available for looking up hashes quickly. The other problem is it has been proven that there are collisions. Meaning that there are multiple different values that will result in the same hash. I don't know the statistics of how often a collision occurs, but it's rare. You are safe using MD5 for hashing the passwords. And making it hard to brute force attack the site by locking the login form after 3 attempts helps too. I would be careful with the IP lock. IPs are not unique to individuals and may lock out > 1 person.
Yeah, I guess I just need to add a field in the DB for lockouts instead, and just lockout the user altogether. Thanks for your help!
1

You shouldn't be storing the retry count in the session - an attacker could simply discard their session cookie after each attempt, allowing them to retry as many times as they wish. Instead, store it against the user record.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.