Protection and storage of passwords. How?


Warning: count(): Parameter must be an array or an object that implements Countable in /home/styllloz/public_html/qa-theme/donut-theme/qa-donut-layer.php on line 274
0 like 0 dislike
6 views
Hello!

The bottom line:

There's a database with passwords. All passwords are stored in hashed form. Hashing is carried out using the password_hash function of PHP. If the user enters "ПарольСекрет1123123", then the database will record the following:
$2y$10$Vo1rzCRf8gQSu3FZDvxeEu4EkhEIvyAF1bgwpbgim5ohrdtjqeqjm


Question 1:

How reliable is this hash? Is it possible to get the original password knowing hash? It is possible in principle?

Password guessing with bruteforcing:

No matter how stored password, it is still possible to pick up. So you need to make protection from bruteforcing. I want to make it so that after 3 incorrect attempts, the password you enter take 5 minutes. Even then if the password was entered incorrectly, then the pause will be doubled, and so on. I think it is quite reliable protection. But how to implement it?

Password encryption:

I thought to start learning cryptography to improve security and not to store the password hash, and the hash cipher password. Of course, we still this method of encryption come up with, but that is another question.

What methods of password protection do you know?

In advance I Express my deep gratitude to all who help!
by | 6 views

4 Answers

0 like 0 dislike
In fact, had already made up for us =) Password to write into the database as a hash + salt password and already will be difficult to find. Then enter the captcha for the password and let the timer so it was difficult to sort out. You can still lock the user after 5 invalid entries and requiring unlocking by email
by
0 like 0 dislike
Bcrypt is quite reliable. To guess the password, the only question of resource-hours. If you really want to hash Brutus gone was long - set cost a little more, about the specific figures it is necessary to ask experts.
Slow queries better on the side a web server, the means. Although "captcha starting with the third attempt," better: a delay of five minutes we probably scare live people than bots.
Encryption of the password before hashing is not necessary. If the server is hacked and the database gone, the code is also probably merge and direct it and use for decryption. The increase in cost for the hash will give the best result without much fuss.
by
0 like 0 dislike
How reliable is this hash? Is it possible to get the original password knowing hash? It is possible in principle?
The reliability of the hash depends on the hash algorithm.

I think it is quite reliable protection. But how to implement it?
I also think that it is quite reliable protection from brute force passwordthat, in General, does not speak about the protection of everything else. How to implement the most simple variants:
a) Logs from what IP was an unsuccessful login attempt with date and time of the event in the database (or any other repository You use), while trying a password - check how many failed attempts from this IP were for the last time, if more than X you try to enter password is locked
b) same as A, but not check the IP address and the login, which logs trying
C) a Combination of paragraphs A and B
d) many other options, of which just a lot, including the use of Google captcha, recognition systems bots and also various combinations of the protection methods and all sorts of perversions, including the above-described.

Is it possible to get the original password knowing hash? It is possible in principle?
By itself, the hash is not an irreversible type of encryption, if that's the question. In other words, hash algorithms, any "decoding" does not imply a priori. But, really, there are ready tables for md5 hashes (I think for other hash algorithms, they exist too, and that You have already guessed that the table represents the original data and the result of their hash), which to some extent "decrypt" md5, you can (well, unless you take into account the fact that quite different combinations may eventually give the same hash, because the number of combinations is infinite, but the number of variations of the hash still has some finite value).

I thought to start learning cryptography to improve security and not to store the password hash, and the hash cipher password.
It remains the case for small:
1. Study (You) cryptography on a level sufficient for the realization of tasks, including writing your own cryptographic algorithms (encryption methods), as mentioned here:
Of course, we still this method of encryption come up with, but that is another question.

2. To solve the problem of safe storage of private (closed) key, which you definitely need in this case

PS Judging by the context of Your question, You are trying to create some sort of "mega-defense" in one place, losing focus of the fact that the protect form for a password and this mechanism in General (we have the same about this question?) is ~1% of the total security of the average system, and examples of this mass. For example, there is a lot of examples when large mail providers suddenly "flowed" database users, including their passwords (hashed, of course) and it was connected not with brute force (and similar acts) clearly, there are all sorts of Heartbleed, which is "officially" suffered very large companies, for network security which was watched by the people knowledgeable in this matter much better than You I and all the other participants in this issue - together, etc... [many examples]. You seriously don't think the goal of any hacker is to find or get one password and (even if his goal is just that, all of a sudden) that this is a hacker before losing momentum "to fight a forehead about a wall" in trying to obtain this most ill-fated password by brute-force attack on the login form or something similar and unsuccessful attempts all his "hacking" on it and stop?
by
0 like 0 dislike
All passwords are stored in hashed form.
The password cannot be stored in hashed form.
Either you store the password, or you do not save the password.
In your case, the password is not stored, the stored hash.
How reliable is this hash?
Depends on what we mean by reliability.
Is it possible to get the original password knowing hash?
No, it is impossible in principle.

No matter how stored password, it is still possible to pick up
Therefore, it is not stored, store its hash.

I want to make it so that after 3 incorrect attempts, the password you enter take 5 minutes.
It is normal practice, only 5min perhaps a lot, you should start with 10-15sekund.
But how to implement it?
To store the time of login attempts - successful and unsuccessful. When you try to log to consider the amount of time elapsed since the last attempt and if it failed, blokirovat.

I thought to start learning cryptography to improve security and not to store the password hash, and the hash cipher password.
When you study cryptography, you will understand that this is nonsense.
I will try to explain -
7f1faa82a84c11d68e301cd04680609d Is a hash of the Avatar movie in FullHD quality, weight 50Гигабайт.
You will be able from these figures to restore 50гигабайт video?
Another example -
Let's say the password is 123456789
Here is a hashing algorithm - count the number of digits.
You will be able to recover the password 123456789 knowing that its hash is equal to 9 ?
This is of course a very simplistic hashing algorithm and, in practice, it is impossible to use due to the large number of collisions, nevertheless, it is hashing.
by

Related questions

0 like 0 dislike
6 answers
0 like 0 dislike
6 answers
0 like 0 dislike
2 answers
0 like 0 dislike
7 answers
asked Mar 25, 2019 by delaf
110,608 questions
257,186 answers
0 comments
27,998 users