invidious3 Posted January 19, 2007 Share Posted January 19, 2007 What is the current standard for password security?I have used md5() but I see that people are building libraries to streamline the brute force attack.I have seen other people md5(md5)) their stuff but as a cryptography student in college, I know that this doesn't strengthen the encryption but it would be a mild stopgap against the libraries.I also understand that there is a way to build a library against any type of encryption, but I wanted to see if there was a new common standard other than md5.Thanks. Quote Link to comment https://forums.phpfreaks.com/topic/34829-solved-password-encrypting/ Share on other sites More sharing options...
fert Posted January 19, 2007 Share Posted January 19, 2007 i created a little encryption functionhere:[code]function beta_crypt3($msg){$len=strlen($msg); $temp=$msg; $key=md5($msg); $key=sha1($key); for($foo=0;$foo<12;$foo++) { for($count=0;$count<$len;$count+=3) { $temp{$count}=$temp{$count}^$key{$count}; $temp{$count}=$temp{$count}^"13"; $temp{$count}=md5($temp{$count}); $temp{$count}=sha1($temp{$count}); } } $temp=crc32($temp); $temp=sha1($temp); $temp=md5($temp); $temp.=sha1($temp); $temp=$temp&$temp; $temp.=$temp; $temp=sha1($temp); $temp=md5($temp); $temp=$temp&$temp; $temp=$temp|$temp; $temp=md5(crc32(sha1($temp))); $temp.=sha1(crc32(sha1(md5($temp)))); $temp.=$key; return $temp;}[/code]that's really hard to break, but the result is 113 characters Quote Link to comment https://forums.phpfreaks.com/topic/34829-solved-password-encrypting/#findComment-164197 Share on other sites More sharing options...
Braclayrab Posted January 19, 2007 Share Posted January 19, 2007 Using a salt will protect your passwords from being brute forced to some degree. Be sure to use a seperate (randomly generated) salt for each user. Quote Link to comment https://forums.phpfreaks.com/topic/34829-solved-password-encrypting/#findComment-164242 Share on other sites More sharing options...
kevinkorb Posted January 19, 2007 Share Posted January 19, 2007 Ummm.I'm not sure about the last post... however I've always read not to try your own encryption method.One effective thing is to make your pre-encrypted string is a long enough value that it would make rainbow-tables not work well.Ie.[code=php:0]$pass = $_POST['pass'];$pass = str_pad($pass, 20, '(', 'pad_right');$enc_pass = md5($pass);[/code]Then the rainbow table would have to go up to 20 characters which would be like storing all valuesSince there is 95 printable ASCII characters they would have to store 95 to the 20th power of records in the table... which really is obsurd. Quote Link to comment https://forums.phpfreaks.com/topic/34829-solved-password-encrypting/#findComment-164255 Share on other sites More sharing options...
Crimpage Posted January 19, 2007 Share Posted January 19, 2007 For a login page etc... Why not just create a simple locked account feature?If someone got into your database, then you might want crazy password encryption.I would have:Password wrong 5 times, account locked for 12 hours.This might be abused and someone might lock my account just to be a knob, so have an email system that is similar to account activation.I try my account, it is locked, click the "Click here to reactivate your account".An email is sent to you with a reactivation link, you click it, and the lock goes away.Therefore, someone only has 5 goes to get your password twice a day. It would be very simple to log account locks too so an admin could see hacking attempts.Just ideas... Quote Link to comment https://forums.phpfreaks.com/topic/34829-solved-password-encrypting/#findComment-164260 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.