Post
Topic
Board Project Development
Re: Advanced Password Security - WhatPassword
by
FelipeAquinoBr
on 08/05/2018, 06:10:45 UTC

In situation B it doesn't even matter if your complete sourcecode, password file and database dump ever get leaked... The attacker won't be able to use that information to decrypt the password hashes.
As long as there are no rainbow tables for bcrypt passwords with a length of 23-25 characters are generated, your users will always be safe (hint: i don't think such rainbow tables will exist in our lifetime... It would require bcrypt asics and a corporate SAN to generate and store this data)

And from a programming point of view: what's the difference between comparing two plaintext strings and two hashes? The only extra cost is that you have to hash the user's input twice... Costing you a couple processor cycles and maybe a couple miliseconds... Seems like a fair price to protect your users, doesn't it?


Hello, Mocacinno!

Thanks for your comment, I'll give you more detailed information about the encryption and the site. I believe that everything you said will not cause any problems for WhatPassword.

From your two models I'm using B.

I am using the Laravel framework 5.6 for source code structure and this guarantees me a great security against bugs that I myself could cause by creating the source code. About cryptography I'm using bcrypt that already comes included in the framework. Another security factor that I have not yet created but I have already foreseen is the creation of device to send multiple emails and sms when a person requests your password, however only 1 of these are true and the other fakes. So for the hacker to try to know which one is true, it will cost more time and make it almost impossible to do everything in 1 minute.

The passwords in the database are also destroyed after that time, so it does not matter if he hacks the database, it will only have passwords valid for less than 1 minute.

I hope you have explained it clearly. hug