[dev] Password encryption (moved from IMP list)
Scott Courtney
courtney at 4th.com
Wed Jun 18 07:22:06 PDT 2003
On Tuesday 17 June 2003 17:44, Mike Cochrane wrote:
> This sounds like quite a nice idea. Implementation would not be a big
> issue, as far as writting a different auth driver goes. And a different sql
> scheme will obviously be needed for the extra column. But it certianly
> gives increased security agains a brute force attack and compromised
> database contents.
It doesn't add an extra column. The pseudo-random value goes into the same
column as the md5() crypted password, separated from the latter by a colon
(a character that never appears in an md5() result, nor in an integer number).
>
> I would recomend the use of the blowfish cipher as it's been optimized in
> the Horde_Cipher class and is availble from mcrypt so will work compatibly
> with and without the mcrypt extension (not available in win32).
Does that run into problems with crypto regulations from country to country?
I originally chose MD5 because it's "pretty secure" and is built into PHP
by default. As a couple of people have pointed out, this whole proposal is
just a little added security, not a bulwark, and I think the quality of the
hash algorithm will be only a small factor in the overall security. Do you
disagree?
Kind regards,
Scott
--
-----------------------+------------------------------------------------------
Scott Courtney | "I don't mind Microsoft making money. I mind them
courtney at 4th.com | having a bad operating system." -- Linus Torvalds
http://4th.com/ | ("The Rebel Code," NY Times, 21 February 1999)
| PGP Public Key at http://4th.com/keys/courtney.pubkey
More information about the dev
mailing list