[dev] Password encryption (moved from IMP list)

Mike Cochrane mike at graftonhall.co.nz
Wed Jun 18 18:11:25 PDT 2003


> ----- Message from courtney at 4th.com ---------
>
> It doesn't add an extra column. The pseudo-random value goes into the same
> column as the md5() crypted password, separated from the latter by a colon
> (a character that never appears in an md5() result, nor in an integer
> number).

What I thought you were meaning was in the database you'd store a random value
then also this random value encrypted with the users password as the key. I'm
not sure how you would do this using just md5.

> >
> > I would recomend the use of the blowfish cipher as it's been optimized in
> > the Horde_Cipher class and is availble from mcrypt so will work compatibly
> > with and without the mcrypt extension (not available in win32).
>
> Does that run into problems with crypto regulations from country to country?
> I originally chose MD5 because it's "pretty secure" and is built into PHP
> by default. As a couple of people have pointed out, this whole proposal is
> just a little added security, not a bulwark, and I think the quality of the
> hash algorithm will be only a small factor in the overall security. Do you
> disagree?

I think I missed how exactly you were going to combine the users credentials and
the random value with md5 unless you just hash the two together.

- Mike :-)



More information about the dev mailing list