Password Hash for UTF8

i need a replacement for this that i can store it in database as utf8 string.
with this method i got a error at insert, i guess because it is just a byte sequence.

Public Function Hash(value As String) as String
  Dim hashValue As String
  
  hashValue = Crypto.PBKDF2(kSalt, value, 128, 32, Crypto.Algorithm.SHA512)
  
  Return hashValue
End Function

Put in BLOB field.
Or use EncodeHex to make a text.

1 Like

good idea i just inserted :slight_smile:

hashValue = EncodeHex(hashValue)

Is that really a constant for the salt? Because it shouldn’t be, you should generate random bytes for each new entry and store it meet l next to the hash.

1 Like

thanks for this hint :slight_smile:
for more security it make sense.
in this app a secret word and “unknown” iterations is good enough.

https://en.wikipedia.org/wiki/Salt_(cryptography)#:~:text=In%20cryptography%2C%20a%20salt%20is,to%20safeguard%20passwords%20in%20storage.

Always randomize your salt as Kem suggested above.

1 Like

@Thom_McGrath has posted some good articles regarding password storage. Poke around his website. Here is one:

1 Like

as i understood i need to store the salt in the same table to reproduce it for compare at next user login.

Typically, yes. And the longer the salt is, the better.

Just a note about why this is important. (Not so much for you Markus, but for others who find this thread later.)

Let’s say I wanted to attack your app and database and was able to obtain a copy of both. My first step would be to decompile the app to learn the salt and other hash settings. If the salt is the same for every record, my job becomes much easier. I don’t have to try to brute-force every record, I’d “just”* have to create a table of hashes using those settings, then match up records where I could. I’d also see where two users used identical passwords because the hash is the same.

(* “just” because this is still cpu-intensive.)

When the salt is different for every record, I can gain no information and would have to attack each record individually, making my job significantly less attractive.

Nothing provides absolute security, of course, so it’s all about increasing the level of difficulty to the point where a bad actor would give up.

(For even more security, check out the Security Through Obesity scheme.)

1 Like