Lamez Posted October 17, 2008 Share Posted October 17, 2008 I want to make my user's passwords more secure, than just a one way encryption. My plan is to make a salt generator, then add it to the password, and encrypt it. Then add the salt to the database, so when the user types in their password, I can check the password with the random salt generated from the script which is in the DB. My question is; is this secure enough? Here is how I want to generate salt. have the script generate a letter from a-r, and a number from 1-10. Then add them so for example: a6, then I want to add 6 to the a, so I get g, and then add 10 to the generated number. So over all I get something like this a6g16. Would that help? -Thanks Guys! Quote Link to comment https://forums.phpfreaks.com/topic/128910-salt-generator-security/ Share on other sites More sharing options...
xylex Posted October 17, 2008 Share Posted October 17, 2008 That implementation would only provide for 180 possible salt combinations. Doing the extra stuff to get the g16 thing doesn't change this number. Why not just use something like uniqid()? Quote Link to comment https://forums.phpfreaks.com/topic/128910-salt-generator-security/#findComment-668341 Share on other sites More sharing options...
waynew Posted October 17, 2008 Share Posted October 17, 2008 One 30 character salt + encryption method would, even with todays technology, take hundreds of years to crack. If your salt is random, that is. i.e not a well known word, phrase, name etc. Quote Link to comment https://forums.phpfreaks.com/topic/128910-salt-generator-security/#findComment-668360 Share on other sites More sharing options...
Lamez Posted October 17, 2008 Author Share Posted October 17, 2008 so is my method secure? Quote Link to comment https://forums.phpfreaks.com/topic/128910-salt-generator-security/#findComment-668362 Share on other sites More sharing options...
waynew Posted October 17, 2008 Share Posted October 17, 2008 $salt1 = "ujhuskedh!£)8J)o3uIoO4jjd3!"; $salt2 = "7hsh!jdI2IoPL2TYjsn(-is8UJsj"; $pass = sha1($salt1.$pass.$salt2); Quote Link to comment https://forums.phpfreaks.com/topic/128910-salt-generator-security/#findComment-668369 Share on other sites More sharing options...
.josh Posted October 17, 2008 Share Posted October 17, 2008 You do know that like 99.99% of account/website cracks are not done by decrypting things (like someone's password), right? And that 0.01% really only exists because of people foolish enough to use very outdated methods or nothing at all. You should focus more on controlling/sanitizing input and making sure the script's logical flow is solid. Quote Link to comment https://forums.phpfreaks.com/topic/128910-salt-generator-security/#findComment-668393 Share on other sites More sharing options...
Lamez Posted October 18, 2008 Author Share Posted October 18, 2008 I do know this, but even if there is flaws in my scripts, and they discover the encryption they would less likely to decrypt it, if it contains random crap. Quote Link to comment https://forums.phpfreaks.com/topic/128910-salt-generator-security/#findComment-668408 Share on other sites More sharing options...
Guest Xanza Posted October 18, 2008 Share Posted October 18, 2008 Even if you were able to make your method work, if you don't have a secure database uncrackable passwords mean nothing... I would listen to what Violent has to say. Quote Link to comment https://forums.phpfreaks.com/topic/128910-salt-generator-security/#findComment-668450 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.