Hi,The SSL has nothing to do with the password encryption. We just need to make sure the communication is running over HTTPS.Can I use a salt with SHA-512?CheersPaul [EMAIL PROTECTED]> Date: Tue, 22 Apr 2008 11:39:28 -0400> From: [EMAIL PROTECTED]> Subject: Re: [ADVANCED-DOTNET] Security questions> To: ADVANCED-DOTNET@DISCUSS.DEVELOP.COM> > Hash + salt is better than hash without salt.> > Paul: SSL is orthogonal though, it wasn't clear from your post that SSL> was another failure point or not (I hope it was); but SSL doesn't make a> hash stronger or weaker. i.e. the raw entered password (from a login)> should be transmitted over SSL to the server, which would then generate a> hash from it and compare it with the stored hash for that user. This> means no one can sniff the password over the wire and if the data on the> server is compromised the password would not be made available (only the> hash).> > > On Tue, 22 Apr 2008 08:42:15 -0700, Greg Young <[EMAIL PROTECTED]>> wrote:> > >My guess would be a good hash function + a salt ... + SSL for> >transmission would pass ...> >> >On Tue, Apr 22, 2008 at 7:10 AM, Peter Ritchie> ><[EMAIL PROTECTED]> wrote:> >> SHA1 isn't an encryption, it's a hash. A hash is one-way, you can't> >> rehydrate the original data from a hash. base64 isn't encryption, it's> >> encoding- meaning anyone can decode it.> >>> >> If you really want to pass the audit, find out from them what hash> >> algorithm will pass. Maybe SHA-512 will pass?> >>> >>> >> On Tue, 22 Apr 2008 14:12:26 +0000, Paul Cowan <[EMAIL PROTECTED]>> wrote:> >>> >> >Hi,We have a web application that where the username and password are> >> stored in the database.The password is stored as SHA1. We have just> been> >> through a security audit which deemed SHA1 to be not the saftest> >> encryption algorithm.Is there any way we can update the passwords from> >> SHA1 to base64?We also need to have the transport running over https,> how> >> can we develop against Https without purchasing a certificate?> >> >Is there a [EMAIL PROTECTED]> > ===================================> This list is hosted by DevelopMentor® http://www.develop.com> > View archives and manage your subscription(s) at http://discuss.develop.com _________________________________________________________________ 100’s of prizes to be won at BigSnapSearch.com http://www.bigsnapsearch.com =================================== This list is hosted by DevelopMentor® http://www.develop.com
View archives and manage your subscription(s) at http://discuss.develop.com
