Using a password to generate two distinct hashes without reducing password security
Posted
by Nevins
on Stack Overflow
See other posts from Stack Overflow
or by Nevins
Published on 2010-04-21T14:47:17Z
Indexed on
2010/05/13
23:14 UTC
Read the original article
Hit count: 251
Hi there, I'm in the process of designing a web application that will require the storage of GPG keys in an encrypted format in a database.
I'm planning on storing the user's password in a bCrypt hash in the database. What I would like to be able to do is to use that bCrypt to authenticate the user then use the combination of the stored bCrypt hash and another hash of the password to encrypt and decrypt the GPG keys.
My question is whether I can do this without reducing the security of the password? I was thinking I may be able to use something like an HMAC-SHA256 of a static string using the password and a salt as the secret key.
Is there a better way to do this that I haven't thought of?
Thanks
© Stack Overflow or respective owner