Databases
StackOverflow2013
Postsdbo
PO
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    text
    copied!<p>Here's a better algorithm for ya, that will let you switch everyone over at once. You'll have to figure out how to implement this in devise, but here's the outline. This isn't mine, found on the web at the URL noted. </p> <hr> <p><a href="http://blog.jgc.org/2012/06/one-way-to-fix-your-rubbish-password.html" rel="nofollow">http://blog.jgc.org/2012/06/one-way-to-fix-your-rubbish-password.html</a></p> <ol> <li><p>Suppose you have a database that contains password hashes for the n users of your site, and for each user you have salt si and hash hi (where hi was computed with some algorithm such as SHA1 or MD5). (Note that the rest of these instructions work if there's no salt, just ignore it).</p></li> <li><p>Suppose that you've chosen to use scrypt. For each user you first create a new random salt value s'i and then compute a new hash h'i using the formula scrypt(s'i, hi) and store the new salt and hash in the database. You throw away the old weak hash hi and forget it ever existed. So you are left with two salt values and a new hash. (I've ignored the other scrypt parameters which are left to the reader to determine).</p></li> <li><p>When user i logs in and presents password p you use your old weak hash algorithm (let's suppose it was md5(salt, password)) to compute a hash for comparison as follows: scrypt(s'i, md5(si, p)) and compare that with the h'i stored in the database.</p></li> <li><p>If, like last.fm, you were also allowing third-parties to authorize users by presenting the old hash value instead of the password then you can still use this scheme. When the third-party presents hash h for user i you calculate scrypt(s'i, h) and do the comparison.</p></li> <li><p>If step 4 is not needed then you can go further when a user logs in. Once the user has logged in successfully with password p you can completely eliminate any trace of the old weak hash by choosing a new random salt value s''i and computing scrypt(s''i, p) and storing that in the database.</p></li> </ol> <p>This has the effect of immediately making your password database more secure if stolen without any effort on the part of your users.</p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload