Password encryption? - Page 3 - Webmaster Forum - Web Design, Programming and SEO forums

02-16-2007, 12:32 PM

#21

Gerard

Status: Member
Join date: Jan 2007
Location: Belfast, Northern Ireland
Expertise:
Software:

Posts: 316

iTrader: 7 / 100%

Gerard is on a distinguished road

Just make a custom encryption.
That's what most people do.

02-16-2007, 12:58 PM

#22

Impluo

Status: We're all mad here
Join date: Aug 2005
Location: Missouri
Expertise: programming
Software: Notepad

Posts: 1,606

iTrader: 0 / 0%

Impluo is on a distinguished road

Gee, that sounds like a great idea! Now if only I knew how to do it...

(I just started learning PHP so I doubt I could write a custom encryption that I would consider decent)

02-16-2007, 06:33 PM

#23

DJAC

Status: Member
Join date: Mar 2006
Location: Canada
Expertise:
Software:

Posts: 286

iTrader: 0 / 0%

DJAC is on a distinguished road

I don't know about custom encryption. Custom encryption will eventually get cracked. It's best to stick to encryption that is publicly known (the algorithm is known), but the keys (or hashes) are kept private.

I won't go into details, but in a basic security course, this is one of the first principles they teach you.

For example, RSA makes their algorithm public and gives a reward to whomever cracks it. What this actually does is make the encryption more secure, since once it is cracked, they increase the number of bits used to encrypt with and the process starts all over again.

This is a great thread. We should have more talk about security as it's one of the more important aspects of computing.

02-22-2007, 08:16 PM

#24

TomS

Status: I'm new around here
Join date: Feb 2007
Location:
Expertise:
Software:

Posts: 5

iTrader: 0 / 0%

TomS is on a distinguished road

This sounds really complicated :s

02-22-2007, 08:59 PM

#25

RaZoR^

Status: Member
Join date: Feb 2006
Location:
Expertise:
Software:

Posts: 191

iTrader: 1 / 100%

RaZoR^ is on a distinguished road

Use an encryption such as MD5, then salt the hashes. Salting them is a way of making all the hashes unique, of them same length (usually) and therefore not readily available in public hash databases. So even if one of your users had the password 'password', the hash wouldn't be found in a database online anywhere because it would be unique.

You can do this in PHP:

Code:

<?php
$password = md5('g5-H+DD1*a' . $password);
?>

The first part is the salt, the second part is the variable you want to encrypt

As said, public algorithms are more secure. Although they're more publically viewable, they're made by professionals, are very secure, are usually one-way algorithms and you probably won't be able to beat 128-bit encryptions with your own.

If you make one yourself, it could most likely be decrypted by reversing the algorithm, which despite being time consuming, would be a lot quicker to do than generating rainbow tables, brute-forcing or dictionary attacking a public encryption.

02-23-2007, 08:30 AM

#26

localhost

Status: Dediport Hosting
Join date: Jul 2006
Location: Berkshire
Expertise: programming, business
Software: Dreamweaver

Posts: 1,316

iTrader: 17 / 100%

localhost is on a distinguished road

PHP Code:


			
<?php
$date = time();
$password = md5($date);
$spass = md5($password);
?>

That's gotta be pretty secure...

02-23-2007, 09:21 AM

#27

echoSwe

Status: Member
Join date: Jul 2005
Location:
Expertise:
Software:

Posts: 185

iTrader: 0 / 0%

echoSwe is on a distinguished road

Razor: Hashing != encrypting, and you salt the password, not the hash, and hashes are designed to be unique no matter what. MD5 on the other hand have verified collisions.

Webmonkey: md5 is broken. don't use it. and you also don't have a password in there, unless your time() method returns a cleartext password...

02-23-2007, 01:37 PM

#28

RaZoR^

Status: Member
Join date: Feb 2006
Location:
Expertise:
Software:

Posts: 191

iTrader: 1 / 100%

RaZoR^ is on a distinguished road

Yes, sorry, salting the password before the hash is generated. But the same point still stands in it. If people are silly enough as to sign up with the password 'password', without salting the password first, it could easily be dictionary-attacked or found online somewhere in a hash database.

02-24-2007, 10:32 AM

#29

echoSwe

Status: Member
Join date: Jul 2005
Location:
Expertise:
Software:

Posts: 185

iTrader: 0 / 0%

echoSwe is on a distinguished road

Yes, but a salt is different for every row in the database, not hard-coded like you wrote...

You should create password criteria at sign-up.
However, whether they use 'password' as their password or not is really not interesting in this discussion, but rather how to store their password in a way that doesn't open too wide avenues of attack. You should create password criteria at sign-up...

02-24-2007, 12:04 PM

#30

JochenVandeVelde

Status: Member
Join date: Sep 2006
Location: Belgium
Expertise:
Software:

Posts: 104

iTrader: -1 / 33%

JochenVandeVelde is on a distinguished road

Send a message via MSN to JochenVandeVelde

Here, I made a hashing function that combines various hashing functions and uses a salt.

Code:

<?php

function encrypt($string, $salt = 'omg135sdf_.*')
{
	$string = strrev($string.$salt);
	$string = crc32($salt.$string);
	$string = str_rot13($string);
	$string = strrev($string);
	$string = bin2hex(md5($salt.$string.$salt, TRUE));
	$string = base64_encode(strrev(str_rot13($string.$salt.$salt)));
	$string = sha1($salt.strrev($string));
	$string = trim(htmlentities(stripslashes($string)));
	
	return $string;
}

?>

Try to crack that