[nycphp-talk] Encrypt/Decrypt without MCrypt
Christopher R. Merlo
cmerlo at ncc.edu
Mon Dec 1 10:34:17 EST 2003
On 2003-12-01 09:40 -0500, Brian Pang <bpang at bpang.com> wrote:
> Finally, write the code for this particular piece in the most cryptic
> manner that you can and don't comment the code. Don't use easy to follow
> var names like "sEncoded" Use single letters or other nonsense or
> random strings for var names, and put in lots of other useless code just
> to make it hard to interpret should anyone get a hold of it.
This sounds like a recipe for disaster. If anyone *does* break in to
your server, you'd get toasted this way.
Also, remember: if it's hard for the attacker to interpret, it will be
hard for you to interpret next month.
Now I don't know if this helps, but on my site, users type in their
password, and I compare it with an MD5 sum already in my DB. If the
sums match, that means that the user typed in the correct password,
and they're authenticated. This way, no cleartext password gets
stored anywhere.
--
cmerlo at ncc.edu http://turing.matcmp.ncc.edu/~cmerlo
Recursion, n:
See recursion. See also tail recursion.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20031201/0f9c89e0/attachment.sig>
More information about the talk
mailing list