[nycphp-talk] Encrypt/Decrypt without MCrypt
Brian Pang
bpang at bpang.com
Mon Dec 1 10:44:59 EST 2003
I didn't claim that this approach would be fool proof, and I did, I
thought, warn against anyone getting a hold of the code as an obvious
security flaw.
Ideally, one wouldn't have to re-interpret the code, but at least you
would know that there's a bunch of crap in there you can ignore.
Comparing an MD5 sum stored in a DB also won't reveal what the
stored/encrypted data is, which I think is what was being sought here.
> This sounds like a recipe for disaster. If anyone *does* break in to
> your server, you'd get toasted this way.
>
> Also, remember: if it's hard for the attacker to interpret, it will be
> hard for you to interpret next month.
>
> Now I don't know if this helps, but on my site, users type in their
> password, and I compare it with an MD5 sum already in my DB. If the
> sums match, that means that the user typed in the correct password,
> and they're authenticated. This way, no cleartext password gets
> stored anywhere.
More information about the talk
mailing list