I have been reading up a lot on hashing and site security recently.
I have always had a few doubts about hashing though most likely just due to lack of understanding…
1.
If a database is stolen, then surely all of a users information (except the password) is readily available for an attacker to view..they wouldn’t need a password in the first place….?
If an attack is performed on the site itself, then no matter how much hashing is done, 1 guess of the right password using rainbow tables will allow access.
That said, here are my thoughts for the security of the site I am currently developing.
1. Take the chosen users password and split it – probably in half. If you know there is a minimum of 6 letters in the password, split it 6 times (the 6th time being the remainder of the password)
E.G. “pass” +”word”, or even “p”, “a”, “s”, “s”,”w”,”o”,”r”,”d”.
2.
Use different hashes and salts with each part.
[CODE]$part1=sha1(userid+”p”);
$part2=md5(datejoined+”a”);
$part3=whirlpool(mysitehash+”s”);
etc
etc
save each of these in the database, and then combine them when checking login.
[CODE]if (password <> $part1+part2…)
I do understand that this is potentially overkill and could slow down login, but my belief is that you cant be too secure.
I am also considering making members to have a number code as well (like banks often do) as this essentially means that an attacker has two passwords to crack. (my site does need to be extra secure ? )
Finally, to address my first point, am thinking of encrypting all data stored in the database too.
Would appreciate your thoughts!