Is SHA256 safe for password storage? Should I use anything else?
#1

Title says it all
Reply
#2

Me use WP_Hash, but SHA256 is good, it guarantee you the security
Reply
#3

Use Whirlpool!
Reply
#4

It's fine. Use salts for extra security. The salt should be at least as long as the hash itself (so 256 bits, 64 characters), it should be randomly generated and it should be unique for each player. That should provide sufficient protection. Until the player uses the password 123456 ...

Edit: as for Whirlpool: this requires an extra plugin. You've got a native implementation of SHA2 at your disposal. You might as well use it. And it even comes with a built in salting algorithm.
Reply
#5

Quote:
Originally Posted by Vince
Посмотреть сообщение
It's fine. Use salts for extra security. The salt should be at least as long as the hash itself (so 256 bits, 64 characters), it should be randomly generated and it should be unique for each player. That should provide sufficient protection. Until the player uses the password 123456 ...

Edit: as for Whirlpool: this requires an extra plugin. You've got a native implementation of SHA2 at your disposal. You might as well use it. And it even comes with a built in salting algorithm.
Just to clarify, salts are only needed to randomize the hash of common phrases, thus lowering chances of your password showing up in pre-calculated tables. So, if my password was simply "password", adding a salt would make my password (this is a 8-byte salt) "password+F1F35315F955C293", or something similar.

And Vince, your salt doesn't need to be bigger than 128 bits. A 128 bit salt makes 1000 passwords per user reusing the same salt (I'm talking > 7 billion users here) negligible. All depends on the size of your community, to be fair. The OP would get away with a 32 bit salt, provided his playerbase doesn't grow above ~ 10,000 users.
Reply


Forum Jump:


Users browsing this thread: 3 Guest(s)