|
|
Posted by Stefan Rybacki on 01/05/07 12:43
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cord-Heinrich Pahlmann schrieb:
> Hi,
>
> I have written a tool wich de/encrypts a few of my forum and
> bloggin-Passwords.
> My question is how secure it is.
> The following describes how I have encrypted my passwords.
>
> When I log in, the Login-Password is changed into a md5-Hash and is
> compared to the login-password in the db.
That's fine.
> If the passwords are the same
> the use is logged in (common procedure). Then the clear-text
> login-password decrypts an unknown key which is stored in the
> $_SESSION-Variable.
Where does this key come from in the first place?
> With that key I decrypt the stored passwords in the
> db.
> I use the Blowfish Algorithm
> (http://www.php-einfach.de/sonstiges_generator_blowfish_script.php,
> Source is in German, sorry.).
> How secure is the Blowfish Algorithm?
The blowfish algorithm is as far as remember known as secure (means no
effective way of breaking it) as long as you use the full 16 rounds of
encryption.
> Each time I log in to my Site, the script generates a new key and
> de/encrypts all the stored passwords again. So the stored
> crypted-passwords look different everytime I login.
>
Where do all the passwords come from?
> Sry, for my English-skills... I'm a little bit rusty...
Your english is just fine
Regards
Stefan
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.1 (MingW32)
iD8DBQFFnkfwyeCLzp/JKjARAjOBAKCQ/h96S53efCB1gHbzJpZB6bCWHwCghZLO
on5Z0CMNc74ysaIUZjwaxuY=
=oHGN
-----END PGP SIGNATURE-----
Navigation:
[Reply to this message]
|