Login

03-06-2008, 08:50 PM

[eluser]Techie-Micheal[/eluser]
[quote author="adamp1" date="1203171322"]Let me just throw my view in. I have done a cryptography course at degree level. let me just say one thing, if you have a two way encryption algorithm it can be broken very easily. You don't even need the key, if you know how it works (the algorithm) most can be broken by simple processes.

If someone really wants some data you store they will be able to get it, doesn't matter how much you encrypt it. The only way you can stop it is to make the process so hard the data isn't worth it to decrypt it.

I store my passwords using a SHA-1 with salt method. I would advice you all to do the same. DO NOT use two way encryption just so the password can be made into ****'s. This is crazy, just say to the client NO. Your the expert they should listen to you, and if they still refuse print out a random length string of **'s or something.

So just to clarify, use SHA-1 with salt, its the best there is at the moment. I know SHA-1 has been broken but unless your a crypto-geek its probably the best and easiest to use.[/quote] I'm sorry, but this bugs me. Not that you aren't right (well, except for SHA-1 being the best there is, there's SHA-256, SHA-512 Tongue

), but two-way encryption is redundant. Just like how Microsoft says reversible encryption. Encryption is, by its very definition, reversible. (A)Symmetric ciphers, block ciphers (eg. Fiestel Network), they are all encryption and are two-way in definition.

Hashing on the other hand is one-way. It cannot be reversed. Sure, you can get collisions, run birthday attacks, brute force it, and various other attacks, but you cannot reverse it. At the end of the day, you get a string, compare it to the hash you are trying to find, and keep going. Contrast that to the Level 7 Cisco passwords which can be broken in under a minute because they used sorry encryption algorithms instead of hashing (ala Level 5).

As for handling passwords, phpBB (my favorite bb software) [disclaimer: I used to be on the team, handling support and security] uses a slightly modified version of this: http://www.openwall.com/phpass/, which came highly recommended from SektionEins (http://www.sektioneins.de/). I would suggest you too look at it.