tag:blogger.com,1999:blog-4818293967282096791.post5659864630417957947..comments2023-12-01T01:44:11.747-08:00Comments on Delphi Bar: Password HashingUnknownnoreply@blogger.comBlogger10125tag:blogger.com,1999:blog-4818293967282096791.post-66656624584935814092020-01-23T23:26:37.460-08:002020-01-23T23:26:37.460-08:00Yes BCrypt does seem to do what I am after. Thanks...Yes BCrypt does seem to do what I am after. ThanksRichardhttps://www.blogger.com/profile/03817406301425251310noreply@blogger.comtag:blogger.com,1999:blog-4818293967282096791.post-59748976108419892582020-01-22T02:05:19.407-08:002020-01-22T02:05:19.407-08:00By definition, salt could be known and stored with...By definition, salt could be known and stored within the DB, e.g. as 'salt|hashedpassword'. It just should be genuine, even better associated with a timestamp and an expiration time.Arnaudhttps://www.blogger.com/profile/00421394020248758254noreply@blogger.comtag:blogger.com,1999:blog-4818293967282096791.post-63272508374555475422020-01-22T01:40:13.057-08:002020-01-22T01:40:13.057-08:00I can recommend this bcrypt library too. Bcrypt is...I can recommend this bcrypt library too. Bcrypt is a standard solution for this task and the library is working without a problem for our systems.zoranczhttps://www.blogger.com/profile/08055424687450010792noreply@blogger.comtag:blogger.com,1999:blog-4818293967282096791.post-2716465769337289042020-01-21T23:37:12.337-08:002020-01-21T23:37:12.337-08:00Try Bcrypt for Delphi or Scrypt for Delphi
https:/...Try Bcrypt for Delphi or Scrypt for Delphi<br />https://github.com/JackTrapper/bcrypt-for-delphi<br />https://github.com/JackTrapper/scrypt-for-delphiAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-4818293967282096791.post-84457991034867442412020-01-21T17:14:50.945-08:002020-01-21T17:14:50.945-08:00Check TSynSigner.PBKDF2 in https://github.com/syno...Check TSynSigner.PBKDF2 in https://github.com/synopse/mORMot/blob/master/SynCrypto.pas#L2050<br />This supports SHA-1, SHA-256, SHA-384, SHA-512, SHA3-224, SHA3-256, SHA3-384, SHA3-512, SHA3-S128, SHA3-S256 as internal hashing algorithm, and it is the fastest implementation in Delphi AFAIK.Arnaudhttps://www.blogger.com/profile/00421394020248758254noreply@blogger.comtag:blogger.com,1999:blog-4818293967282096791.post-48803944122583476052020-01-21T10:54:08.737-08:002020-01-21T10:54:08.737-08:00I don't see how it would be possible to valida...I don't see how it would be possible to validate the hashed salted password without the salt. There seems to be something fundamentally broken if you are able to accomplish that task. You typically store the cleartext username, hashed password, and cleartext salt. Your salt can/should be unique per user. The salt should be cryptographically secure random data and not overly short. If you want to be overly secure, store the salt in a separate location than the username and hash. Certainly don't have one salt value for the entire database as that would dramatically reduce it's value. I haven't used TMS components, but from the face of it they seem fine. SecureBlackBox.com has the 'best' Delphi components for security, and StreamSec would be a runner up. I just purchased a TMS all-access license and I will be testing their cipher set soon and plan on using it. <br /><br />Specifically, PKDBF2 is calculated as: DK = PBKDF2(PRF, Password, Salt, c, dkLen) One character difference in salt should produce a completely unintellible/uncomparable derived key result....there should be no way to compare two hashes with different salts. Darianhttps://www.blogger.com/profile/02596419659098581887noreply@blogger.comtag:blogger.com,1999:blog-4818293967282096791.post-47995741943881312652020-01-21T07:06:15.858-08:002020-01-21T07:06:15.858-08:00https://bitbucket.org/sergworks/tforge/downloads/https://bitbucket.org/sergworks/tforge/downloads/Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4818293967282096791.post-1004597774187523402020-01-21T06:29:28.754-08:002020-01-21T06:29:28.754-08:00With TMS you also need to store the salt. So when ...With TMS you also need to store the salt. So when a user enters the password you hash it with the previous salt and compare the hash values. In Visual Studio you can have different salt values that produce different hash value but the validation matches them (PKBDF2).Richardhttps://www.blogger.com/profile/03817406301425251310noreply@blogger.comtag:blogger.com,1999:blog-4818293967282096791.post-28198547628678965572020-01-21T06:04:18.864-08:002020-01-21T06:04:18.864-08:00https://github.com/Xor-el/HashLib4Pascalhttps://github.com/Xor-el/HashLib4PascalOndrej Kellehttps://www.blogger.com/profile/11973677794354930454noreply@blogger.comtag:blogger.com,1999:blog-4818293967282096791.post-91224869815606059092020-01-21T05:34:53.406-08:002020-01-21T05:34:53.406-08:00TMS Cryptography Pack wouldn't do this?
(Discl...TMS Cryptography Pack wouldn't do this?<br />(Disclaimer, I haven't used it, but am looking at their all access package)Yveshttps://www.blogger.com/profile/04401807179000513345noreply@blogger.com