What should every web developer know about encryption?

Question

I\'ve just landed a PHP5 gig. I won\'t be handling the parts of the application that involve super sensitive data, but I still know embarrassingly little about security and encr

Answer 1

Please pay attention to following points when you store passwords,

1. Hashed password is generally more secure because you don't have to keep a secret. However, it prevents you from using other hash-based scheme in your authentication flow. For example, you can't use HTTP Digest authentication with hashed password.

2. Simple hash is prone to rainbow table attak (http://en.wikipedia.org/wiki/Rainbow_table). Please add a non-reoccuring nonce to the hash or use the nonce as the key to HMAC. The nonce needs to be stored with the passwords. I prepend it to the digest.

3. If encryption is used, make sure a random Initial Vector is used so same password will be encrypted to different ciphertexts for different user. Otherwise, you are prone to pattern matching attack. MySQL has built-in encryption command. It doesn't inject IV so never use it for passwords.

4. Save key name/version with the ciphertext so keys can be rotated. Key-rotation is required for compliance with certain standards. Encryption without key information is impossible to decrypt when you are forced to change or rotate keys.

If you follow these advices, your passwords will be safe with any encryption/hash schemes.