NYCPHP Meetup

[Anthony Papillion]

So I've used encryption on a personal level and even on the server
through SSL but I've not done much more in PHP than using either the
MD5() or SHA1() functions on passwords. I tend to be a very paranoid
type with user information and I'm constantly thinking about
weaknesses in systems and how they could be exploited.

My initial encryption method was to either md5 or SHA1 passwords, and
stick them in the database. While I know it's difficult to 'reverse
the sausage machine' on these encrypted strings, it's not impossible.
An attacker could determine an MD5 or SHA1 password through a simple
dictionary attack. So, in essence, the encryption is useless.

My current method is to concatenate the username+password+username and
then either MD5 or SHA1 that and store that as the password in the
database. But, really, is this anymore secure to a sophisticated,
thinking attacker? Certainly, if I could think of it, they could, and
it would again be trivial to write a script to execute a simple
dictionary attack and figure out the password.

I also know there are many other encryption methods out there but,
isn't it true that *all* of them are compromisable by that simple
manner or am I missing something critical here? Perhaps the only way
to mitigate the risk is to institute a 3 strikes policy (which pisses
users off but is secure) and to them change the users password to some
absolutely random 50 digit gobbledygook string of characters.

Am I being overly paranoid here or are these valid concerns?  Am I
simply missing something?

Thanks!
Anthony

Blog:           www.cajuntechie.com
Facebook:   www.facebook.com/cajuntechie
Twitter:        www.twitter.com/cajuntechie