You can have the most unbreakable password hashing scheme in the world, but your site's data is only as secure as the weakest link. There are plenty of attack vectors: XSS, CSRF, etc. Any one of these could be a potential way into a site admin account at least. At a minimum, don't reuse your server password(s) for your site admin account. Furthermore, don't reuse those passwords elsewhere, as they are only as secure as the other guy's weakest link.
-Matt On Tuesday, August 31, 2010, teccmo <tec...@gmail.com> wrote: > > Ralph said, "When hashing, choose a reasonably secure enough, yet supported > method of hashing." However it would appear that password stretching or > strengthening is more important that the particular hash scheme. I learned > this by following Bill's third article. > The article was: > PBKDF2 (Password-Based Key Derivation Function) > http://en.wikipedia.org/wiki/PBKDF2 (and of course other articles referenced > by this) > > This article lead me to here http://en.wikipedia.org/wiki/Key_strengthening > and that lead me to further reading of Openwall.com which focuses on key > strengthening. > > I am not trying to find some fool proof solution, just trying to make sense > of all the options. > > Since stretching or strengthening was not never mentioned I am wondering if > anybody has an opinion on it. > > > -- > View this message in context: > http://zend-framework-community.634137.n4.nabble.com/Guidance-on-storing-passwords-securely-tp2400394p2401863.html > Sent from the Zend Framework mailing list archive at Nabble.com. >
