securely expand a password to 128 bits

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
TheProgrammer
Forum Newbie
Posts: 22
Joined: Mon Nov 27, 2006 12:25 am

securely expand a password to 128 bits

Post by TheProgrammer »

Hello guys,
I'm trying to expand a password that will probably have less than 128 bits (16 characters) to exactly 128 bits in order to use it as a key for mysql AES encryption. I can't ask the users to input minimul 16 characters. It would suck. So I need to expand the password somehow. I don't think repeating it would be a good ideea since I know this would bring some cryptographic vulnerabilities. What can I try?
The best ideea i think is to make a hash of the pasword since this is securely expanded already then select 128 bits, but i'm not so sure it's so good. I wanted to consult with you first.
I would apreciate your opinion. Thanks!
User avatar
Jenk
DevNet Master
Posts: 3587
Joined: Mon Sep 19, 2005 6:24 am
Location: London

Post by Jenk »

pad it?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Padding it can certainly work (one-time), MD5 could potentially work too as could other hashing algorithms that generate even longer hash results (chopped in some fashion I suspect.)

I would definitely have a minimum password length required. The shorter it is the stronger the entropy they must have in it be... although it's definitely best to give an overall strength rating.
Post Reply