Posted by Peter Fox on 01/05/07 13:55

Following on from Cord-Heinrich Pahlmann's message. . .
>Hi,
>
>I have written a tool wich de/encrypts a few of my forum and
>bloggin-Passwords.
>My question is how secure it is.
/My/ question is how appropriate is it.

Whatever you do, _don't_ waste time worrying about the theoretical
breakability of proper cryptographic routines, they will be many times
stronger (unless badly misused) than other lines of attack.

Complexity is your enemy not your friend. Each protective element must
have a purpose, be used appropriately with its weaknesses understood.
One good lock is generally better than two feeble ones.

I haven't quite understood the details of your scheme. What exactly are
you trying to encrypt and why? What's the point of the second part? -
The words "decrypting stored passwords" alarms me.


>The following describes how I have encrypted my passwords.
>
>When I log in, the Login-Password is changed into a md5-Hash and is
>compared to the login-password in the db. If the passwords are the same
>the use is logged in (common procedure). Then the clear-text
>login-password decrypts an unknown key which is stored in the
>$_SESSION-Variable. With that key I decrypt the stored passwords in the
>db.
>I use the Blowfish Algorithm
>(http://www.php-einfach.de/sonstiges_generator_blowfish_script.php,
>Source is in German, sorry.).
>How secure is the Blowfish Algorithm?
>Each time I log in to my Site, the script generates a new key and
>de/encrypts all the stored passwords again. So the stored
>crypted-passwords look different everytime I login.
>
>Sry, for my English-skills... I'm a little bit rusty...
>

--
PETER FOX Not the same since the bra business went bust
peterfox@eminent.demon.co.uk.not.this.bit.no.html
2 Tees Close, Witham, Essex.
Gravity beer in Essex <http://www.eminent.demon.co.uk>

[Back to original message]