Thread: Password Encryption
View Single Post
  #2  
Old 09-16-2015, 03:41
atom0s's Avatar
atom0s atom0s is offline
Family
  
Join Date: Jan 2015
Location: 127.0.0.1
Posts: 397
Rept. Given: 26
Rept. Rcvd 126 Times in 63 Posts
Thanks Given: 54
Thanks Rcvd at 733 Times in 280 Posts
atom0s Reputation: 100-199 atom0s Reputation: 100-199
For passwords on a forum you would want to hash them, not encrypt them. There should never be a undo method for a password. Along with the hashing, you should be appending a random long-generated salt to the password before it is hashed to help increase the security of the password and toughness to ever bruteforce it.

For example, if you use a hash algorithm such as SHA256/SHA512, let's use the password 'abc123' as an example.

SHA256: ecd71870d1963316a97e3ac3408c9835ad8cf0f3c1bc703527c30265534f75ae
SHA512: daef4953b9783365cad6615223720506cc46c5167cd16ab500fa597aa08ff964eb24fb19687f34d7665f778fcb6c5358fc0a5b81e1662cf90f73a2671c53f991

In a brute force or dictionary attack, abc123 will take less then 30 minutes to break on modern machines. This would render just storing the direct hash as a insecure method of handling the password. That is where salts come in to play to make things much more secure.

You would append a random generated salt to the password before it is hashed to generate a much more difficult hash to break. For example:
Our password: abc123
Our random hash: w]q!!*z+4~02)@gxxfK;;v6,S!*,}1&$EbURm$f[8*{/E,y&-kG@ sJ#?W lq;1+

Which would make the following hashes:

SHA256: e9c349fdbf269f1f80c934dc72ae776d2b0d69bc3bcc3f8568a65a861422d268
SHA512: 7266f6d6c38de04333932578a2f7252febcb2893874958587b475bac09ad121b2ec319b60dbf8b02fa9a19c0c953d0fd05bd3de2a02629145a917d05b41b609d

A dictionary attack will never be able to break this as it is not something in a dictionary. And a brute force attack against a hash like this is nearly impossible to ever complete successfully.

Keep in mind when you choose a hashing algorithm though, things like MD5/SHA1 are frowned upon as they are outdated, have collisions and have many rainbow tables and such made to help aid in cracking of passwords.


For things like emails, you would want encryption. AES is the common standard today of encrypting anything. But many other algorithms should be sufficient as long as there is no security issues like sharing of the needed decryption key in a manner that invalidates the encryption in the first place.
Reply With Quote
The Following User Gave Reputation+1 to atom0s For This Useful Post:
Dreamer (09-16-2015)
The Following 3 Users Say Thank You to atom0s For This Useful Post:
Dreamer (09-16-2015), ontryit (10-20-2015), p4r4d0x (10-16-2015)