"A better idea would be to set a cookie with the hash of the user id + some secret salt + a timestamp. The secret salt gives us some protection against said script kiddie, while the timestamp will make the hash expire. Neat!"
From those couple sentences, it really doesn't seem like this person knows what they're talking about. The hash won't "expire" just because you have a date in it...and because we're talking about one way hashes there is no realistic way for you to figure out what date was hashed in there. Maybe they meant the date on the cookie...still a big error to make in a field with no room for the tiniest of errors.
Hashing the password in Javascript before sending it over an insecure connection is pretty sweet (but it's not AJAX, just Javascript).
----
Yeah, that post over at matasano.com is great. Really an eye opener and got me thinking about things.
I've being using "stretching" since I read about it on their blog. I basically have this:
function hash_password($password, $salt)
{
for(i = 0; i < 50000; i++)
{
$password = sha1($password.$salt);
}
return $password;
}
My salts are all randomly generated using letters, numbers and symbols and are at least 15 characters long. It takes about 1 second to run that on my web server, so it slows down brute force login attempts. It will also take someone forever an a day to use a rainbow table against it since they have to match the hash fifty thousand times. It's not a s secure as something like Blowfish, but it's leagues better than just a single sha1($password.$salt);
From those couple sentences, it really doesn't seem like this person knows what they're talking about. The hash won't "expire" just because you have a date in it...and because we're talking about one way hashes there is no realistic way for you to figure out what date was hashed in there. Maybe they meant the date on the cookie...still a big error to make in a field with no room for the tiniest of errors.
Hashing the password in Javascript before sending it over an insecure connection is pretty sweet (but it's not AJAX, just Javascript).
----
Yeah, that post over at matasano.com is great. Really an eye opener and got me thinking about things.
I've being using "stretching" since I read about it on their blog. I basically have this:
function hash_password($password, $salt) { for(i = 0; i < 50000; i++) { $password = sha1($password.$salt); } return $password; }
My salts are all randomly generated using letters, numbers and symbols and are at least 15 characters long. It takes about 1 second to run that on my web server, so it slows down brute force login attempts. It will also take someone forever an a day to use a rainbow table against it since they have to match the hash fifty thousand times. It's not a s secure as something like Blowfish, but it's leagues better than just a single sha1($password.$salt);