StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

PO
primarykey
Id
10125604
data
AcceptedAnswerId
0
AnswerCount
0
ClosedDate
CommentCount
0
CommunityOwnedDate
CreationDate
2012-04-12T14:25:21.777
FavoriteCount
0
LastActivityDate
2012-04-12T15:01:19.653
LastEditDate
2012-04-12T15:01:19.653
LastEditorUserId
509610
OwnerUserId
509610
ParentId
10125219
PostTypeId
2
Score
13
ViewCount
0
LastEditorDisplayName
text
Body
SHA512 is not a terrible choice. But it won't be long before it is cracked for most lengths of passwords. Take <a href="http://www.codinghorror.com/blog/2012/04/speed-hashing.html" rel="noreferrer">Jeff's Advice</a>. Use <a href="http://en.wikipedia.org/wiki/Bcrypt" rel="noreferrer">bcrypt</a> or <a href="http://en.wikipedia.org/wiki/Pbkdf2" rel="noreferrer">PBKDF2</a>. They are resistant to EC2 or other parallel processing techniques. Probably not immune, but resistant. The reason a better hash isn't better in this case is <code>ABC</code> in MD5 becomes one value and <code>ABC</code> in SHA512 becomes one value. Calculating all the 3 letter passwords is <a href="http://www.cryptopp.com/benchmarks.html" rel="noreferrer">actually easier for SHA512 than it was for MD5</a>. The key is to be hard to do. That means a slow hash, one that uses a lot of RAM, and/or one that can't be easily done on EC2. The best choice is to NOT use passwords alone anymore at all. Decide if login is really needed for your site, and if it is, try to use a 3rd party provider first. If that's not an option consider a password + token from RSA. Only use a password alone if you have no other viable options. When hashing a password the key is to hash(password + salt) and the salt needs to be unique per user, and should also be difficult or impossible to guess. Using the Username meets the first criteria and is better than no salt or the same salt for each user, but a unique random salt for each user is a better choice. Ideally in a separate database, if not location, with its own credentials. It should also be keyed not on the username, but on the user_id or even a hash of the user_id. You want that database to be SQL injection proof. Accepting no input from the user that isn't hashed is a good way to do that. And you would be wise to let the query itself do the hashing. Slow? Yes, and that's ALSO a good thing. The salt itself should contain all the hard to predict data it can get. Username + User Id + Timestamp + garbage from dev/urandom + the latest tweet with the word taco in it. Longer the better. SHA512 is a good choice of hash here. Summary: hash = bcrypt(password + salt), salt = sha512(username + user_id + timestamp + microtimestamp + dev/urandom bits + other noise). If you are still worried after all of that. Feel free to SHA512 the bcrypted password. You'll gain the strength of SHA512, which when cracked only reveals a much harder to brute force bcrypted hash.
Tags
Title
singulars
PostAcceptedAnswerId
1. This table or related slice is empty.
PostParentId
1. POMd5 Alternative in PHP?
 singulars
 PostTypePostTypeId
 PTQuestion
PostTypePostTypeId
1. PTAnswer
UserLastEditorUserId
1. USDampeS8N
UserOwnerUserId
1. USDampeS8N
plurals
PostLinksPostIdRelatedPostId
1. This table or related slice is empty.
PostLinksRelatedPostIdPostId
1. This table or related slice is empty.
PostsAcceptedAnswerId
1. POMd5 Alternative in PHP?
 singulars
 PostTypePostTypeId
 PTQuestion
PostsParentIdCreationDate
1. This table or related slice is empty.
VotesPostIdCreationDate
1. VO
 singulars
 PostPostId
 PO
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTUpMod
2. VO
 singulars
 PostPostId
 PO
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTAcceptedByOriginator
3. VO
 singulars
 PostPostId
 PO
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTUpMod
CommentsPostId
1. This table or related slice is empty.

Querying!

Guidance

A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.