Re: Alternatives to storing a user's password in your database

Author: MB Software Solutions, LLC

Posted: 2011-12-21 at 01:43:47

On 12/21/2011 12:41 AM, Christof Wollenhaupt wrote:

> If you use CRC functions you should salt the value. That is adding a few

> application specific characters before or after the password, then passing

> the result to SYS(2007) - or whatever else. Adding more sophisticated

> functions to calculate the hash value would be possible but not add

> security value. Once you went beyond storing the password, the application

> (with code injection) becomes the weakest link, not cracking a password.

>

That makes sense. Seems like me just getting and storing the CRC of

"<whatever prefix I choose here>" along with their password and then on

the login screen, comparing that same prefix + their entered password

against the stored value would be sufficient.

I see that approach as responsible. I'd like to hear someone give an

explanation as to why it wouldn't be (responsible).

Thanks,

--Mike

--

Mike Babcock, MCP

MB Software Solutions, LLC

President, Chief Software Architect

http://mbsoftwaresolutions.com

http://fabmate.com

http://twitter.com/mbabcock16

_______________________________________________

Post Messages to: ProFox@leafe.com

Subscription Maintenance: http://leafe.com/mailman/listinfo/profox

OT-free version of this list: http://leafe.com/mailman/listinfo/profoxtech

Searchable Archive: http://leafe.com/archives/search/profox

This message: http://leafe.com/archives/byMID/profox/4EF18023.2020603@mbsoftwaresolutions.com

** All postings, unless explicitly stated otherwise, are the opinions of the author, and do not constitute legal or medical advice. This statement is added to the messages for those lawyers who are too stupid to see the obvious.

©2011 MB Software Solutions, LLC