Salt Generator, Security!

[Lamez]

I want to make my user's passwords more secure, than just a one way encryption. My plan is to make a salt generator, then add it to the password, and encrypt it. Then add the salt to the database, so when the user types in their password, I can check the password with the random salt generated from the script which is in the DB.

 

My question is; is this secure enough?

 

Here is how I want to generate salt.

 

have the script generate a letter from a-r, and a number from 1-10. Then add them so for example: a6, then I want to add 6 to the a, so I get g, and then add 10 to the generated number. So over all I get something like this a6g16.

 

Would that help?

 

-Thanks Guys!

[xylex]

That implementation would only provide for 180 possible salt combinations.  Doing the extra stuff to get the g16 thing doesn't change this number.  Why not just use something like uniqid()?

[waynew]

One 30 character salt + encryption method would, even with todays technology, take hundreds of years to crack. If your salt is random, that is. i.e not a well known word, phrase, name etc.

[Lamez]

so is my method secure?

[waynew]

$salt1 = "ujhuskedh!£)8J)o3uIoO4jjd3!";
$salt2 = "7hsh!jdI2IoPL2TYjsn(-is8UJsj";

$pass = sha1($salt1.$pass.$salt2);

[.josh]

You do know that like 99.99% of account/website cracks are not done by decrypting things (like someone's password), right? And that 0.01% really only exists because of people foolish enough to use very outdated methods or nothing at all. You should focus more on controlling/sanitizing input and making sure the script's logical flow is solid.

[Lamez]

I do know this, but even if there is flaws in my scripts, and they discover the encryption they would less likely to decrypt it, if it contains random crap.

[Guest Xanza]

Even if you were able to make your method work, if you don't have a secure database uncrackable passwords mean nothing... I would listen to what Violent has to say.