0

Well? Is it possible? Passwords stored in the database are hashed with The Portable PHP Password Hashing Framework (http://www.openwall.com/phpass/).

How can I hash them in the same manner with AS3?

If that is not possible, what is the strongest hashing algorithm in the as3crypto library? Is it hmac-sha256?

Thank you.

Francisc
  • 77,430
  • 63
  • 180
  • 276
  • I would MD5 passwords. Best method for not being able to get it back. In my opinion at least. – The_asMan Nov 02 '11 at 20:36
  • I think it was cracked in 2009. Thanks though. – Francisc Nov 02 '11 at 20:44
  • That crack is table based and if I remember correctly not completely reliable. In any case Passwords should be stored server side. What exactly are you trying to do anyway. There might be a better solution I could point you at if I knew more about the issue at hand. – The_asMan Nov 02 '11 at 20:53
  • I am verifying passwords for authentication from desktop app with remote server. I want to send the hash instead of the plain text password even if I am using SSL. – Francisc Nov 02 '11 at 20:55
  • So SSL + MD5 and you still question it? What you could do is have the server generate a key have the client encrypt it with the key( I have done this with AES) and send the data to the server, than have the server decrypt it and dispose of the key, than md5 the data and store it in the DB. – The_asMan Nov 02 '11 at 22:19
  • No. SSL+plain text is enough. But that only protects from data being stolen during transmission. If the database is hacked, MD5 is probably too weak. I basically want to use PHPass and it's AS3 equivalent. If none exists, which as3crypto hashing method is best. – Francisc Nov 02 '11 at 23:02
  • If people are hacking your database you have more to worry about then a password. MD5 is the standard for password storage as there is pretty much no way to get it back. If you use an encryption method that uses a key then you have to store that key and well at that point the password can be decrypted. The point of MD5 is so nobody can ever read the password ever, it can't be decrypted. when logging in you compare the MD5's to determine if it is a match. – The_asMan Nov 02 '11 at 23:27
  • If you add SHA or AES encryption to the transfer from client to server then you are adding another layer to the SSL. Security is about layers not about the ability of a specific layer. – The_asMan Nov 02 '11 at 23:29
  • Your database server should never be accessible from the web. If you have sensitive info in it. – The_asMan Nov 02 '11 at 23:31
  • In case someone gets to the database is what I meant. I'm sorry I just don't think MD5 is enough anymore. It's hardly a standard anymore. I can crack up to 8 digit passwords with all letters, numbers and punctuation very fast, less than 2 hours. I can't ask people to have passwords longer than 15 chars and that for a few years until computers get even faster. – Francisc Nov 03 '11 at 11:02
  • Again security is about layers not about the ability of a specific layer. If for whatever reason MD5 isn't good enough for you then add another layer. – The_asMan Nov 03 '11 at 15:34
  • I disagree. I think it's about quality not quantity. – Francisc Nov 04 '11 at 22:06

1 Answers1

0

MD5 with some salt should be good enough and is supported on almost any platform. If you're not sure how to salt a hash, you could take a look at this tutorial: http://www.pixel2life.com/publish/tutorials/118/understanding_md5_password_encryption/

u.k
  • 3,091
  • 1
  • 20
  • 23