Page 1 of 3
Encryption of a string
Posted: Sun Sep 15, 2002 3:24 am
by Takuma
How can I really securely encrypt a password. I know there are thing called salting but I don't know how to use it or why I should use it, I'm only using MD5 at the moment but I don't think it's secure enough... Help!
Posted: Sun Sep 15, 2002 12:17 pm
by dusty
a quick fix for salting is to make the password a combination of the username and password encrypted.
Posted: Mon Sep 16, 2002 5:18 pm
by Takuma
OK...
But I need to know what is salting and which encryption I should use...
Posted: Mon Sep 16, 2002 5:20 pm
by phice
It's weird.. PHP had crypt(), yet they dont have decrypt().

Posted: Mon Sep 16, 2002 5:21 pm
by Takuma
Anybody know the address of a tutorial about serialisation?
Posted: Mon Sep 16, 2002 5:38 pm
by JPlush76
I think it depends on what kind of data you're going to be storing
If your keeping people's credit cart information in your database you should use high end security, but if you have an online forum or some small application like that MD5 seems fine.
p.s. I remember the good old days of takuma defending md5 to the death, hehe

Posted: Mon Sep 16, 2002 6:44 pm
by hob_goblin
All I can say is:
RTFM
Posted: Mon Sep 16, 2002 6:44 pm
by dusty
if someone enters a password and has access to your database and sees someone with the same encryption string they know what the password is. so if you salt the password and then encrypt it will be a different string with the same password.
ie:
i was saying to just use your username and password.
$username = "dusty";
$password = "pass";
$password = $username . $password;
if you do md5($password) you come up with:
2a6d00fb64466476f4696aefa59f40d8
where if you md5 the unsalted password you'd get:
1a1dc91c907325c69271ddf0c944bc72
providing your own salt might even be a better idea that way no one can go through md5($user_pass_combo) until they find a match.
there is no 100% secure encryption method. md5 alone is probably enough but adding salt wouldn't hurt.
Posted: Tue Sep 17, 2002 12:51 am
by Takuma
Thanks..
And hot_goblin is "RTFM" a type of encryption?
P.S. JPlush76 ->

Posted: Tue Sep 17, 2002 2:05 am
by twigletmac
RTFM is hobgoblins way of telling you to go read the manual. Basically do some homework before you ask the question like searching the forum or doing searches in the manual and generally on the web.
Mac
Posted: Tue Sep 17, 2002 10:53 am
by Takuma
OK, thanks I did a bit though...

Looks like 2 hours of searching wasn't good enough

Posted: Tue Sep 17, 2002 11:43 am
by JPlush76
what would make a good salt if I use the email address as their username?
I wouldn't want to use the email address to salt with because they can always change their email address, and then their password wouldn't match up.
Any thoughts?
Posted: Tue Sep 17, 2002 12:49 pm
by dusty
in that case just use your own salt.
$salt = "9sdf8a72";
$password = $password . $salt;
Posted: Tue Sep 17, 2002 12:50 pm
by nielsene
A good salt should not be predictable. If you use either username or email the salt for a given user is predictable, this allows the attack to begin prior to compromising any accounts.
See
http://www.devnetwork.net/forums/viewto ... c&start=15 for an earlier post of mine about this. (Actually page one of the thread is good too.) Also see
http://www.devnetwork.net/forums/viewto ... 6&start=15 for examples of how these different tools fit together. (My second post on that page)
Posted: Tue Sep 17, 2002 2:47 pm
by hob_goblin
I had an idea:
Have two tables, one for the user info, and one for salts.
Upon registration, generate a random salt into a variable.
Use that salt to encrypt the password, Take the encryption, and use it as the identifier to pull out the random salt from the second table, and then run that salt against the inputted password to see if it equals the value in the first
Make sense?
