[dev] Password encryption (moved from IMP list)
Mike Cochrane
mike at graftonhall.co.nz
Tue Jun 17 14:44:59 PDT 2003
> ----- Message from courtney at 4th.com ---------
> On Tuesday 17 June 2003 11:32, Eric Rostetter wrote:
> > > To check the password, take the credentials presented by the user, read
> > > the pseudo-random value from the database, and use that value to crypt
> > > the credentials using the same algorithm. If they match, good login.
> >
This sounds like quite a nice idea. Implementation would not be a big issue, as
far as writting a different auth driver goes. And a different sql scheme will
obviously be needed for the extra column. But it certianly gives increased
security agains a brute force attack and compromised database contents.
I would recomend the use of the blowfish cipher as it's been optimized in the
Horde_Cipher class and is availble from mcrypt so will work compatibly with and
without the mcrypt extension (not available in win32).
- Mike :-)
More information about the dev
mailing list