addressalign-toparrow-leftarrow-rightbackbellblockcalendarcameraccwcheckchevron-downchevron-leftchevron-rightchevron-small-downchevron-small-leftchevron-small-rightchevron-small-upchevron-upcircle-with-checkcircle-with-crosscircle-with-pluscrossdots-three-verticaleditemptyheartexporteye-with-lineeyefacebookfolderfullheartglobegmailgooglegroupshelp-with-circleimageimagesinstagramlinklocation-pinm-swarmSearchmailmessagesminusmoremuplabelShape 3 + Rectangle 1ShapeoutlookpersonJoin Group on CardStartprice-ribbonShapeShapeShapeShapeImported LayersImported LayersImported Layersshieldstartickettrashtriangle-downtriangle-uptwitteruserwarningyahoo

Re: [brisbane-webtech] Re: on password encryption and storage

From: Tim R.
Sent on: Friday, July 20, 2012 9:44 AM
For someone looking for an easy solution they can implement quickly I'd recommend using PHPAss from http://www.openwall.com/phpass/

It's a hashing library that has already been scrutinized by many thousands of people, is used in Wordpress and is really easy to use. 

One of the most important things it does is uses an algorithm that takes anywhere up to a second (depending on your settings) to verify a users password. This is important because it means if anyone ever gets a copy of your database they can't try a million+ passwords a second like they can with normal hashing algorithms, instead it takes them a second per password making it almost impossible for them to brute force crack your users passwords. 


On Thu, Jul 19, 2012 at 12:52 PM, Darren Mackay <[address removed]> wrote:
Hi,

Having been a code auditor in a previous life... 

Note that new laws are coming in to place in Australia that will force everybody 
| to be quite a bit more responsible with user data. Best to keep it secure. 

Also mind that CREloaded somehow passed its PCI DSS certification with this 
| code in place, while it clearly breaches basic safety guidelines. So, it slipped 
| through. PCI DSS and other certification on e-commerce components are *not* 
| a guarantee that the code is good/safe. 

Unfortunately there is a *lot* of disillusionment over what the various security auditors and accreditations are.

Even with an experienced auditor involved, it is *extremely easy* to get a client over the line, regardless of what type of audit is being conducted.

That said, it shouldn't be... but commercial realities of 2012 and requirements of performing the audit for a given price / time frame / etc tend to overshadow good intent.

Relevant regulatory requirements, both existing and planned, aren't worth the paper they are written on unfortunately - btu I think a lot on this list already know that (preaching to the converted is easy)


__________


Darren Mackay
DMERFC.COM PTY LTD
Enterprise Research, Forensics and Consulting
mobile: [masked]
twitter: @darrenmackay
email / xmpp: [address removed]





--
Please Note: If you hit "REPLY", your message will be sent to everyone on this mailing list ([address removed])
This message was sent by Darren Mackay ([address removed]) from Brisbane Web Tech.
To learn more about Darren Mackay, visit his/her member profile
Set my mailing list to email me As they are sent | In one daily email | Don't send me mailing list messages

Meetup, PO Box 4668 #37895 New York, New York[masked] | [address removed]

Our Sponsors

People in this
Meetup are also in:

Sign up

Meetup members, Log in

By clicking "Sign up" or "Sign up using Facebook", you confirm that you accept our Terms of Service & Privacy Policy