I have been reading up a lot on hashing and site security recently.
I have always had a few doubts about hashing though most likely just due to lack of understanding...
If a database is stolen, then surely all of a users information (except the password) is readily available for an attacker to view..they wouldn't need a password in the first place....?
If an attack is performed on the site itself, then no matter how much hashing is done, 1 guess of the right password using rainbow tables will allow access.
That said, here are my thoughts for the security of the site I am currently developing.
- Take the chosen users password and split it - probably in half. If you know there is a minimum of 6 letters in the password, split it 6 times (the 6th time being the remainder of the password)
E.G. "pass" +"word", or even "p", "a", "s", "s","w","o","r","d".
Use different hashes and salts with each part.
save each of these in the database, and then combine them when checking login.
if (password <> $part1+part2...)
I do understand that this is potentially overkill and could slow down login, but my belief is that you cant be too secure.
I am also considering making members to have a number code as well (like banks often do) as this essentially means that an attacker has two passwords to crack. (my site does need to be extra secure )
Finally, to address my first point, am thinking of encrypting all data stored in the database too.
Would appreciate your thoughts!