Encryption of a string
Moderator: General Moderators
Encryption of a string
How can I really securely encrypt a password. I know there are thing called salting but I don't know how to use it or why I should use it, I'm only using MD5 at the moment but I don't think it's secure enough... Help!
-
JPlush76
- Forum Regular
- Posts: 819
- Joined: Thu Aug 01, 2002 5:42 pm
- Location: Los Angeles, CA
- Contact:
I think it depends on what kind of data you're going to be storing
If your keeping people's credit cart information in your database you should use high end security, but if you have an online forum or some small application like that MD5 seems fine.
p.s. I remember the good old days of takuma defending md5 to the death, hehe
If your keeping people's credit cart information in your database you should use high end security, but if you have an online forum or some small application like that MD5 seems fine.
p.s. I remember the good old days of takuma defending md5 to the death, hehe
- hob_goblin
- Forum Regular
- Posts: 978
- Joined: Sun Apr 28, 2002 9:53 pm
- Contact:
if someone enters a password and has access to your database and sees someone with the same encryption string they know what the password is. so if you salt the password and then encrypt it will be a different string with the same password.
ie:
i was saying to just use your username and password.
$username = "dusty";
$password = "pass";
$password = $username . $password;
if you do md5($password) you come up with:
2a6d00fb64466476f4696aefa59f40d8
where if you md5 the unsalted password you'd get:
1a1dc91c907325c69271ddf0c944bc72
providing your own salt might even be a better idea that way no one can go through md5($user_pass_combo) until they find a match.
there is no 100% secure encryption method. md5 alone is probably enough but adding salt wouldn't hurt.
ie:
i was saying to just use your username and password.
$username = "dusty";
$password = "pass";
$password = $username . $password;
if you do md5($password) you come up with:
2a6d00fb64466476f4696aefa59f40d8
where if you md5 the unsalted password you'd get:
1a1dc91c907325c69271ddf0c944bc72
providing your own salt might even be a better idea that way no one can go through md5($user_pass_combo) until they find a match.
there is no 100% secure encryption method. md5 alone is probably enough but adding salt wouldn't hurt.
- twigletmac
- Her Royal Site Adminness
- Posts: 5371
- Joined: Tue Apr 23, 2002 2:21 am
- Location: Essex, UK
A good salt should not be predictable. If you use either username or email the salt for a given user is predictable, this allows the attack to begin prior to compromising any accounts.
See http://www.devnetwork.net/forums/viewto ... c&start=15 for an earlier post of mine about this. (Actually page one of the thread is good too.) Also see http://www.devnetwork.net/forums/viewto ... 6&start=15 for examples of how these different tools fit together. (My second post on that page)
See http://www.devnetwork.net/forums/viewto ... c&start=15 for an earlier post of mine about this. (Actually page one of the thread is good too.) Also see http://www.devnetwork.net/forums/viewto ... 6&start=15 for examples of how these different tools fit together. (My second post on that page)
- hob_goblin
- Forum Regular
- Posts: 978
- Joined: Sun Apr 28, 2002 9:53 pm
- Contact:
I had an idea:
Have two tables, one for the user info, and one for salts.
Upon registration, generate a random salt into a variable.
Use that salt to encrypt the password, Take the encryption, and use it as the identifier to pull out the random salt from the second table, and then run that salt against the inputted password to see if it equals the value in the first
Make sense?
Have two tables, one for the user info, and one for salts.
Upon registration, generate a random salt into a variable.
Use that salt to encrypt the password, Take the encryption, and use it as the identifier to pull out the random salt from the second table, and then run that salt against the inputted password to see if it equals the value in the first
Make sense?
