08-27-2009, 10:54 PM
|
#5 (permalink)
|
|
The Addict
Join Date: May 2009
Posts: 287
Thanks: 5
|
Quote:
Originally Posted by eStrategy
In the case of a user auth class you could randomly generate a salt for each user at registration and store it in their database record, so the salt is different for each user. Assuming your database is secure it will now be a massive challenge for anyone to work out your encyption technique....
Just an idea, any thoughts?
|
I had already gotten past this, I was thinking of using the password that the user entered as a seed for the random number generator. (Convert the pw to base9, then srand($seed))
After that I would use a randomly assigned (shuffled) assortment of [a-z0-9(symbols)] to use in conjunction with a hash to provide a secure string which can be reproduced (with the correct PW) and doesn't contain the PW. (So if they do crack the hash they would have to crack several random number generations, then pretty much guess at the original PW).
The trouble is then what comes with really secure or insecure PW's? Could/Should they be strengthened or weakened before the assignment, do they alter the theoretical complexity of the hash?
*EDIT* Crap! There would be no way to validate a random string generated from the numerical value of the entered PW, it would be the seed for a PRNG. Therefore ever changing! Scrap that.. |
|
|
|