Web application security: Difference between revisions

From Rixort Wiki
Jump to navigation Jump to search
No edit summary
Line 1: Line 1:
== Definitions ==
Know the difference between:
* Encryption / Decryption
* Encoding / Decoding
* Hashing
* Message authentication
There are some overlaps and sometimes the terms are used interchangeably, but ultimately they are different tools for different use cases (e.g. don't use a hash if you need to retrieve the original input).
== Peppers ==
== Peppers ==



Revision as of 15:51, 8 April 2023

Definitions

Know the difference between:

  • Encryption / Decryption
  • Encoding / Decoding
  • Hashing
  • Message authentication

There are some overlaps and sometimes the terms are used interchangeably, but ultimately they are different tools for different use cases (e.g. don't use a hash if you need to retrieve the original input).

Peppers

Like salts, but global to the application (and only known to the application, not the database). Don't bother with these, because:

  • They provide limited extra 'security'
  • You can't easily rotate the pepper as it is effectively embedded in password hashes etc.

If your passwords are salted, a pepper adds very little and causes extra maintenance and the problem of rotating keys. Also, on the vast majority of web applications - especially small ones - the application and database are on the same server anyway.

Articles