Sunday, July 29, 2007

Internal design, passwords, hashing

SHA-1, MD5, and the future. These hash functions are tentative measures, as most everything is, and therefore, most things should be viewed as tentative. All scientists must know this. All "computer scientists" should know this. All historians should know this.

What to do. When storing a password, store the type of hash function used when storing the password.

user_name = "Moryton"
user_password_hash_function = MD5/SHA/...
user_password_hash = ****

If you haven't gotten the idea yet; once a new hash function is introduced, it is easy to update the internal system to handle it. For instance, the next time a user changes the password, it would be stored with the new hash function. (Of course, the user_password_hash field would probably have to be expanded first, but that one's obvious; though that's subjective to say.)

No comments: