Andy11548 Posted August 10, 2012 Share Posted August 10, 2012 Hello, I was just wondering if this would be a possible good way to secure a password: public function encrypt($string) { $strlength = strlen($string); $randomText1 = substr($string, 0, 3); $randomText2 = substr($string, 6, 11); $hash = '#$%81jI*"?l1k2UAm"'; $format = $hash.'L08Jh'.$randomText1.md5($string).sha1($hash).'$""'.$randomText2.'3Kjn'.$hash; return $format; } Outputs: #$%81jI*"?l1k2UAm"L08Jhjustt6648a7c22aa10fe3a93a60254c6668a85cf660db8fddd243a8ba751982f54c26a1351d2d$""stin3Kjn#$%81jI*"?l1k2UAm" Would that be secure so that if someone got into my database the couldn't get the users password? Quote Link to comment Share on other sites More sharing options...
Psycho Posted August 10, 2012 Share Posted August 10, 2012 Absolutely not! There are multiple threads on this same subject and the details are very involved so I'm not going to open that can of worms here. But, here's some of the problems I see: 1. Your end results contains fixed values ($hash, 'L08Jh', and '3Kjn', '$""', and sha1($hash)) that have nothing to do with increasing the security of the resulting value 2. This is the most egregious, you actually put un-hashed content of the password into the output ($randomText1 and $randomText2). If someone identifies those as coming from the password it would be very easily to identify a lot of users' passwords from your result. Using a dictionary check. 3. The only real hash of the password is md5($string). There are far too many rainbow tables available for MD5() and it is too easy for someone to try and brute force. You should be using a hash such as MD5 or SHA1 along with an appropriate custom salt for each value. That way an attacker could still try and brute force, but they would have to brute force each value independently. Quote Link to comment Share on other sites More sharing options...
Andy11548 Posted August 10, 2012 Author Share Posted August 10, 2012 In that case, please link me? Quote Link to comment Share on other sites More sharing options...
Adam Posted August 10, 2012 Share Posted August 10, 2012 Here's an 8 page debate that describe it in a lot of detail, and eventually goes on to explain how to do it properly: http://forums.phpfreaks.com/index.php?topic=254277.0 Quote Link to comment Share on other sites More sharing options...
scootstah Posted August 11, 2012 Share Posted August 11, 2012 Use bcrypt or PBKDF2. There is plenty of libraries available for the implementation of both, such as PHPass or phpseclib. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.