Jump to content

Recommended Posts

Hello,

 

I was just wondering if this would be a possible good way to secure a password:

 

public function encrypt($string) {
	$strlength = strlen($string);
	$randomText1 = substr($string, 0, 3);
	$randomText2 = substr($string, 6, 11);
	$hash = '#$%81jI*"?l1k2UAm"';

	$format = $hash.'L08Jh'.$randomText1.md5($string).sha1($hash).'$""'.$randomText2.'3Kjn'.$hash;

	return $format;
}

 

Outputs: #$%81jI*"?l1k2UAm"L08Jhjustt6648a7c22aa10fe3a93a60254c6668a85cf660db8fddd243a8ba751982f54c26a1351d2d$""stin3Kjn#$%81jI*"?l1k2UAm"

 

Would that be secure so that if someone got into my database the couldn't get the users password?

Link to comment
https://forums.phpfreaks.com/topic/266927-good-way-to-secure-passwords/
Share on other sites

Absolutely not! There are multiple threads on this same subject and the details are very involved so I'm not going to open that can of worms here. But, here's some of the problems I see:

 

1. Your end results contains fixed values ($hash, 'L08Jh', and '3Kjn', '$""', and sha1($hash)) that have nothing to do with increasing the security of the resulting value

2. This is the most egregious, you actually put un-hashed content of the password into the output ($randomText1 and $randomText2). If someone identifies those as coming from the password it would be very easily to identify a lot of users' passwords from your result. Using a dictionary check.

3. The only real hash of the password is md5($string). There are far too many rainbow tables available for MD5() and it is too easy for someone to try and brute force. You should be using a hash such as MD5 or SHA1 along with an appropriate custom salt for each value. That way an attacker could still try and brute force, but they would have to brute force each value independently.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.