Welcome Guest, Not a member yet? Register   Sign In
Can i use this Ci Starter. Is it safe?
#12

(03-05-2015, 12:43 PM)ivantcholakov Wrote: @Narf

First of all, I have nothing against you, your job is incredible. I am silent recently because I am finishing a difficult project.

"Passwords must be hashed, not encrypted." - yes, I know that. I hash the users' passwords. But for example, I want to store a SMTP-password for the site mailer within the database as a setting - it needs to be decrypted before usage. So, the Password library gives both of the options. I will add some comments within the library in order it to be used properly.

About the GibberishAES class (alone) I don't have a disagreement, because I don't know what it supposed to be about. :-) You were not specific. http://forum.codeigniter.com/thread-53.html

I guess I got the wrong impression then, sorry about that.

I wasn't specific indeed ... I didn't think I need to be, because you too have no reason to roll your own instead of using CI_Encryption. That alone is a reason enough to dismiss your library, because the first rule in cryptography is "don't roll your own". Smile

If I have to be specific - it doesn't use authentication (HMAC), no timing safe comparison, it falls back to mt_rand() for key generation, it has this weird salting algorithm that is wrong on at least 3 levels (including usage of MD5), it has an escapeshellarg() method that has nothing to do with cryptography, the code itself is very unclear and it is obviously designed to encrypt passwords ... which is wrong by default, even if you did provide a very rare use-case for that.

Please just delete that library altogether. I mean, if any cryptography expert sees it, you'll be publicly shamed for writing it ... and I mean that on a very large scale, not within the realms of this forum. Smile

(03-05-2015, 02:14 PM)ivantcholakov Wrote: I have just added warning notes within the Password library, thank you. https://github.com/ivantcholakov/starter...d4a7a0f74c

That's an improvement, I'll give you that ... but if it's called "Password", then encrypt/decrypt methods simply don't belong in it. People make bad decisions every time you give them the chance to, and as I said - that's very dangerous when it comes to security.
Reply


Messages In This Thread
Can i use this Ci Starter. Is it safe? - by Vimal - 03-04-2015, 10:12 PM
RE: Can i use this Ci Starter. Is it safe? - by Narf - 03-06-2015, 04:27 AM



Theme © iAndrew 2016 - Forum software by © MyBB