i'm likely going to be redoing the way i encrypt passwords in my database. this is in general, hiding data keeping it safe in your database.
more of web programming, but could be applied elsewhere using other functions - general cryptography.
hash algorithms md5, sha1, haval128 are weak alone.
whirlpool, tiger192, ripemd160 are the best hashes, if possible use them.
the slowest encrypting method is probably the best (in most cases) it will tend to be harder to crack via rainbow tables. use slower logins, session based fails etc.
do not use multiple hashes on a pasword it will reduce the possibilities. ex md5(sha1(md5((base64_encode($pass))))
generate a unique salt for each user. this will individualize the threat to single user therefore the attacker must generate a table for every user on your database, very tedious for them... use multiple salts in the password, and global salts as well.
mysql --> users table `$convert_pass`, `$rand`
--->split data up in every which way, make it complex - cryptic.
-->use random salts in unique login sessions, store bits and pieces on the client in such a way that serves to fool/confuse/bewilder the attacker
->as for cookies to prevent theft throw in a client specific ip / user agent in with the password or in another chunk of data. that will stick it in the theifs pipe
maybe i put this in the wrong topic, anyway extrapolate on general cryptography, methods in c++ or other language
Any criticisms to this/or better possible methods you can think of that i may be missing?
more of web programming, but could be applied elsewhere using other functions - general cryptography.
hash algorithms md5, sha1, haval128 are weak alone.
whirlpool, tiger192, ripemd160 are the best hashes, if possible use them.
the slowest encrypting method is probably the best (in most cases) it will tend to be harder to crack via rainbow tables. use slower logins, session based fails etc.
do not use multiple hashes on a pasword it will reduce the possibilities. ex md5(sha1(md5((base64_encode($pass))))
generate a unique salt for each user. this will individualize the threat to single user therefore the attacker must generate a table for every user on your database, very tedious for them... use multiple salts in the password, and global salts as well.
Code:
function rand_gen($n) {
$rv=Array("a", "b", "c", "d", "e","f","g","h","i","j","k","l","n","o","p","-","_","%","@","!","0", "+", "*","~","$","#", "z", "m", "r", "x", "y", "q", "w", "p", "u", "s", "t", "g", "1", "2", "3", "4", "5", "6", "7", "8", "9");
$rvt=count($rv)-1;
for ($i=0;$i<$n;$i++) {
$constructedauth.=$rv[rand(0,$rvt)];
}
return $constructedauth;
}
$rand=rand_gen(50);
$hashish=str_split($hash,strlen($hash)/2);
$password = str_split($password,strlen($password)/2);
$convert_pass=hash('whirlpool',$oassword[0].$hashish[0].$password[1].$hashish[1]);
mysql --> users table `$convert_pass`, `$rand`
--->split data up in every which way, make it complex - cryptic.
-->use random salts in unique login sessions, store bits and pieces on the client in such a way that serves to fool/confuse/bewilder the attacker
->as for cookies to prevent theft throw in a client specific ip / user agent in with the password or in another chunk of data. that will stick it in the theifs pipe
maybe i put this in the wrong topic, anyway extrapolate on general cryptography, methods in c++ or other language
Any criticisms to this/or better possible methods you can think of that i may be missing?