The only real secure way to store your database passwords.

  1. User enters “plain text” password into your system using a secure protocol such as SSL.
  2. Next, you create a SHA-3 HASH of the plain text password from 1) above.
  3. Next add 64bytes to the start and end of the SHA-3 hash returned in 2) above in two 64 bytes chunks as below...
  4. 64 bytes are fixed and hard-coded or ENV within your application.
  5. 64 bytes are random binary, generated at run time, and stored against the user in your existing “system_user” database table.
  6. Add 64 x fixed bytes + 64 x random (but stored) bytes to the SHA-3 hash created in 2) above.
  7. Create new SHA-3 HASH of the original SHA-3 hash + 128 bytes.
  8. THIS IS THE NEW USER PASSWORD, so let’s encrypt it.
  9. Use Bcrypt (from a recognised library) to encrypt the user password as 8. above.
  10. STORE encrypted password in database.

WELCOME TO PASSWORD SECURITY!

ANALYSIS:

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Mark Arnold

Mark Arnold

The simplest most advanced appointment system in the world.