-5

What do you think is the best way to store a password in the database?

I suggest:

  • hashing using something way better than MD5. But what?
  • salting with a very cryptic non-readable salt such as DonKEYFace or something
  • "sugar" - some energy. Timestamp! and check it with the db later
  • "pepper": has potential so power it with a big number!

Any thoughts?

And please, do not just point to theory. Everyone knows that already. Do some calculations! Show me how quickly you could decipher this!

schroeder
  • 125,553
  • 55
  • 289
  • 326
Piddien
  • 293
  • 1
  • 2
  • 7
  • 1
    You have not defined "best". Do you define best by the length of time to find a collision? To create a rainbow table? To bruteforce a match? What do you mean by "non-readable salt"? Are you taking into account Kerckhoff's principle? – schroeder Apr 03 '17 at 11:48
  • Okok. The password field can be of size 4048 bits. Good luck! Now you can calculate the max value of the field. – Piddien Apr 03 '17 at 12:02
  • 3
    I'm sorry, but I need to downvote this, it doesn't seem like you've done any research or put any effort into this yourself. – Mike Ounsworth Apr 03 '17 at 12:07

1 Answers1

3

Since the hashing method, salt, pepper, and "sugar" are not secret, and possible to be known, and you seem to be focused on "time to decipher", I'm not sure there is any benefit to your scheme.

Once I know your hashing method and all these pieces, the "time to decrypt" is not appreciably longer than a more standard method, you're just adding to the strings.

If your response is to make more and more of the scheme "secret", then there can be no calculation because your scheme depends on secrecy, not math. Debating how much longer it might take to "decipher" if certain pieces are unknown is a bit like trying to count the number of angels dancing on the head of a pin.

schroeder
  • 125,553
  • 55
  • 289
  • 326
  • I am not just adding to the strings. My application separated from the database knows the salt, sugar and pepper. For instance FunnYHaCkerDude and sugar is now in TIMESTAMP when creating password and for instance pepper is the power of 17 – Piddien Apr 03 '17 at 12:05
  • 3
    Yes, you are just adding to strings - so what if you have all these nice fancy strings spread out all over the globe? You need to bring them all together to input to your hash function. Whether it is `hash(pass + salt + pepper + sugar + your cat's birthday)` or `hash(pass + hash(salt + hash(pepper + ...` you are just adding strings. Those strings can be known (have to be known) and so can the hash method. – schroeder Apr 03 '17 at 12:08