Quote:
Originally Posted by ******
1) Don't invent your own hash system, use the BCrypt plugin.
2) For a hash to be good, it needs to take a long time (so it is hard to bruteforce). This means if you do the hashing in an include you will halt server processing for hundreds of milliseconds, which will cause noticable lag. This is a legitimately worrying amount of time, unlike the tiny bits people normally worry about.
3) Don't call "hash" for multiple rounds in PHP. Not because rounds are a bad idea - they are a great idea; but because PHP's "hash" function is broken when called multiple times. I reported this to them literally years ago and they closed the report as "not a bug", despite me providing clear examples.
4) Don't use a constant salt the same for everyone, that is nearly as bad as no salt, since any attackers can still just precompute common passwords for comparison.
5) Use the BCrypt plugin.
6) Use the BCrypt plugin.
7) Use the BCrypt plugin.
|
****** ty for ur answer. I have some more questions on ur replays.
2) Should i still use a external host to provide the password hash because the hashing process will lag my server?
3) If PHP "hash" have some bugs when it's called multilpe times, should i call it one tine to avoid bugs and lags?
4) Should I generate a random salt, for each registration, and store it in database? But then... the salt it will be ez avaible when the DB will be broken. I'm thinking to use a static salt(not-stored) and a dynamic salt(stored) in DB, it's this secure and ok?
5), 6), 7) Is it the good BCrypt plugin? (
https://sampforum.blast.hk/showthread.php?tid=453544)
