× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. March 2021

Re: How to validate passwords without storing them anywhere.

Hello Richard,

Am 17.03.2021 um 19:04 schrieb Richard Schoen <richard@xxxxxxxxxxxxxxxxx>:

I would be interested to know what security experts have to say on which method is better.

According to the central part of the former message:

ENCRYPT_TDES(varchar('VALID'), 'Budweiser#01')

I searched about "ENCRYPT_TDES", and as the name suggests:

The ENCRYPT_TDES function returns a value that is the result of encrypting the first argument by using the Triple DES encryption algorithm.


In general, Encryption is *not* the same as as Hashing. Encryption is by definition a reversible method, while Hashing is a method to convert any input to a fixed-length seemingly random string of characters. Important: The same input data always generates the same hash value! It is not reversible by nature. One can only try out all possible input data to hope to find input data which generates the same hash string. This is called a "collision".
In addition, TDES hints to Triple-DES which is considered broken by today's standards.


Reading this: https://www.ibm.com/support/knowledgecenter/ssw_ibm_i_74/db2/rbafzscaencrypttdes.htm

Suggests that the first (static) string will be used to encrypt the second string. So, if anybody can get hold of the first string (for example by examining source code), all passwords encrypted with that string are pwned.

When someone types a password in the password field whatsoever, that string is hashed with the same function being used to generate the hash being saved in the database. If both hashes are equal, the password is accepted as valid.

My conclusion (without digging deeper into ENCRYPT_TDES usage) is: True hashing is better, because not reversible. Even when the table data is leaking to the internet, it's more secure than a list of strings all being encrypted by just the same value: If the encryption string can be revealed by successfully decrypting just one obvious but sometimes used password like "12345", all entries are easily decryptable.

Hashing can not protect against testing for "passwords" like "12345"! This is easily checked with a dictionary attack, revealing the most precious information to an attacker: A valid pair of login name and password string.


Learn more here:

https://en.wikipedia.org/wiki/Encryption

https://en.wikipedia.org/wiki/Hash_function

https://en.wikipedia.org/wiki/Triple_DES

https://en.wikipedia.org/wiki/Key_derivation_function (a redirect from the search string "Password Hashing")

https://en.wikipedia.org/wiki/Dictionary_attack

:wq! PoC


As an Amazon Associate we earn from qualifying purchases.

This thread ...
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.