most secure password scheme
Hello,
I have a few questions on password schemes. Is SHA512 the most secure? Is there a difference between SHA512 and SHA512-CRYPT? What about SSHA512 and SSH512-CRYPT?
Is there a problem with this sql statement:
UPDATE virtual_users SET password=CONCAT(‘{SHA256-CRYPT}’, ENCRYPT (‘Password Goes Here’, CONCAT(‘$5$’, SUBSTRING(SHA(RAND()), -16)))) WHERE user=’user@example.com’;
I'm getting an error 1064 at the ending email address.
Thanks. Dave.
On April 29, 2017 at 4:22 AM David Mehler <dave.mehler@gmail.com> wrote:
Hello,
I have a few questions on password schemes. Is SHA512 the most secure? Is there a difference between SHA512 and SHA512-CRYPT? What about SSHA512 and SSH512-CRYPT?
Is there a problem with this sql statement:
UPDATE virtual_users SET password=CONCAT(‘{SHA256-CRYPT}’, ENCRYPT (‘Password Goes Here’, CONCAT(‘$5$’, SUBSTRING(SHA(RAND()), -16)))) WHERE user=’user@example.com’;
I'm getting an error 1064 at the ending email address.
Thanks. Dave.
SSHA512 is salted SHA512, SHA512-CRYPT is crypt(3) compatible salted hash. PCKS5 or SHA512-CRYPT with over 1000 rounds is probably very secure, but SHA512-CRYPT is also good. Using SHA512 is not recommended, as it's unsalted hash.
If ENCRYPT is same as crypt(3) then you can try put rounds into salt, like "$6$rounds=4000$s9Zc4OA11IuLt/iV$".
Aki
Hello,
Thanks for the explanation. So should I go with SSHA512 or SHA512-CRYPT? From your explanation i'm interpreting to mean that SHA512-CRYPT also salts. This is for storing in a mysql database. Also, what should the password field length and type be set for? Currently it's varchar(128)
Thanks. Dave.
On 4/29/17, Aki Tuomi <aki.tuomi@dovecot.fi> wrote:
On April 29, 2017 at 4:22 AM David Mehler <dave.mehler@gmail.com> wrote:
Hello,
I have a few questions on password schemes. Is SHA512 the most secure? Is there a difference between SHA512 and SHA512-CRYPT? What about SSHA512 and SSH512-CRYPT?
Is there a problem with this sql statement:
UPDATE virtual_users SET password=CONCAT(‘{SHA256-CRYPT}’, ENCRYPT (‘Password Goes Here’, CONCAT(‘$5$’, SUBSTRING(SHA(RAND()), -16)))) WHERE user=’user@example.com’;
I'm getting an error 1064 at the ending email address.
Thanks. Dave.
SSHA512 is salted SHA512, SHA512-CRYPT is crypt(3) compatible salted hash. PCKS5 or SHA512-CRYPT with over 1000 rounds is probably very secure, but SHA512-CRYPT is also good. Using SHA512 is not recommended, as it's unsalted hash.
If ENCRYPT is same as crypt(3) then you can try put rounds into salt, like "$6$rounds=4000$s9Zc4OA11IuLt/iV$".
Aki
I would go with SHA512-CRYPT, since it is compatible with lots of other things. The field length is static and it contains ascii characters, and it appears to be 118 characters long, but it might be a good idea to use varchar(255) nevertheless, in case you decide to use something else someday.
With mysql, you can do
mysql> SELECT ENCRYPT('hello','$6$rounds=4000$s9Zc4OA11IuLt/iV');
i would advice using rounds for extra security, but this is of course up to you. The rounds parameter will make the algorithm to do 4000 rounds of SHA512 to make it less feasible to do brute force attacks.
Aki
On April 30, 2017 at 4:59 AM David Mehler <dave.mehler@gmail.com> wrote:
Hello,
Thanks for the explanation. So should I go with SSHA512 or SHA512-CRYPT? From your explanation i'm interpreting to mean that SHA512-CRYPT also salts. This is for storing in a mysql database. Also, what should the password field length and type be set for? Currently it's varchar(128)
Thanks. Dave.
On 4/29/17, Aki Tuomi <aki.tuomi@dovecot.fi> wrote:
On April 29, 2017 at 4:22 AM David Mehler <dave.mehler@gmail.com> wrote:
Hello,
I have a few questions on password schemes. Is SHA512 the most secure? Is there a difference between SHA512 and SHA512-CRYPT? What about SSHA512 and SSH512-CRYPT?
Is there a problem with this sql statement:
UPDATE virtual_users SET password=CONCAT(‘{SHA256-CRYPT}’, ENCRYPT (‘Password Goes Here’, CONCAT(‘$5$’, SUBSTRING(SHA(RAND()), -16)))) WHERE user=’user@example.com’;
I'm getting an error 1064 at the ending email address.
Thanks. Dave.
SSHA512 is salted SHA512, SHA512-CRYPT is crypt(3) compatible salted hash. PCKS5 or SHA512-CRYPT with over 1000 rounds is probably very secure, but SHA512-CRYPT is also good. Using SHA512 is not recommended, as it's unsalted hash.
If ENCRYPT is same as crypt(3) then you can try put rounds into salt, like "$6$rounds=4000$s9Zc4OA11IuLt/iV$".
Aki
On 30-04-17 08:49, Aki Tuomi wrote:
I would go with SHA512-CRYPT, since it is compatible with lots of other things. The field length is static and it contains ascii characters, and it appears to be 118 characters long, but it might be a good idea to use varchar(255) nevertheless, in case you decide to use something else someday.
With mysql, you can do
mysql> SELECT ENCRYPT('hello','$6$rounds=4000$s9Zc4OA11IuLt/iV');
i would advice using rounds for extra security, but this is of course up to you. The rounds parameter will make the algorithm to do 4000 rounds of SHA512 to make it less feasible to do brute force attacks.
Aki
https://dev.mysql.com/doc/refman/5.7/en/encryption-functions.html#function_e... Note
The ENCRYPT() function is deprecated as of MySQL 5.7.6, will be removed in a future MySQL release, and should no longer be used. Consider using AES_ENCRYPT() instead.
participants (3)
-
Aki Tuomi
-
David Mehler
-
Luuk