What's the latest password hash / data encryption algorithm for mysql?
When I know a little about cryptography, I try to find the best approach to hash a user's password in some application vb.net winform
; then save it online mysql
db. I have found many posts on this topic but cannot figure out which one is the best fit.
I am reaching for this MSDN post but still cannot be sure if I can use it.
I can't enter some random key there, it is automatically generated by the function.
So my question is, is this a reliable function for password hash? Any alternatives?
thank
Code:
Imports System Imports System.IO Imports System.Security.Cryptography Class AesExample Public Shared Sub Main () Try Dim original As String = "Here is some data to encrypt!" 'Create a new instance of the Aes 'class. This generates a new key and initialization 'vector (IV). Using myAes As Aes = Aes.Create () 'Encrypt the string to an array of bytes. Dim encrypted As Byte () = EncryptStringToBytes_Aes (original, myAes.Key, myAes.IV) 'Decrypt the bytes to a string. Dim roundtrip As String = DecryptStringFromBytes_Aes (encrypted, myAes.Key, myAes.IV) 'Display the original data and the decrypted data. Console.WriteLine ("Original: {0}", original) Console.WriteLine ("Round Trip: {0}", roundtrip) End Using Catch e As Exception Console.WriteLine ("Error: {0}", e.Message) End Try End Sub 'Main Shared Function EncryptStringToBytes_Aes (ByVal plainText As String, ByVal Key () As Byte, ByVal IV () As Byte) As Byte () 'Check arguments. If plainText Is Nothing OrElse plainText.Length
source to share
Do not encrypt passwords , when the attacker gets the DB, he will also get the encryption key. Merely using a hash function is not enough, and just adding salt does little to improve security. Iterating over the HMAC with a random salt for about 100ms and saving the salt with a hash. Use a function such as ehash
, PBKDF2
, Bcrypt
, passlib.hash
or similar functions. The point is that the attacker would spend a lot of time brute force searching for passwords.
NIST currently recommends PBKDF2 for password verification.
Cm:
-
NIST Special Publication 800-63B: ( Guide to Digital Identity )
-
Towards Better Password Requirements From Jim Fenton
source to share