On Fri, 6 Jan 2006, Julien Bonastre wrote:

Any reason why you need to have reversible encryption on the password value??

 No... I just prefer to assume that if someone gets my DB, they might try
 using user/pass pairs on banking sites, or paypal, or other ways, and if I
 can reversible encrypt the password, I can send them an email with their
 password, rather than changing it to something obscure and force them to
 change it again...

 Though at this point, I just decided to md5 the password and call it good
 enough.  I'll just force them to change it if need be.

Generally I simply create some hash from the password, using something akin to a MD5 or SHA1 hash of the password string. Or in my paranoid case I use the password string, plus all sorts of replicatable combinations of values such as length of password, username, registration date/time etc plus weird other fixed values I find around the place and environment variables etc, then I hash them..

 A good idea; are you just careful then that you don't accidentally update
 the data without re-hasing your passwords?

I am completely psychotic so don't mind me, when I was 15 I wrote my Perl driven website http://operation-scifi.com [still Perl driven member system and file-system based forum] and I had a real mangler function whereby I would extract each character of the password and hash it, then hash the hash with the other characters, plus the hash of them with said fixed values from server/user account details [age, location etc..] ... It was something in the vicinity of a O(6^n+1)th generation hash by the time I had finished where n is the length of the original password..

 *laugh* Awesome!  Maybe a bit overkill for password, but still very cool.

 Unfortunately that leaves things unreversable, and if someone got a hold
 of your data AND your code, they could reverse-engineer... It seems
 security is only as good as your weakest link -- obscure code, private
 key, etc...

Peter Beckman                                                  Internet Guy
[EMAIL PROTECTED]                             http://www.purplecow.com/

PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to