Skip to main content
Information Security

Timeline for What's good/bad about this custom password hashing?

Current License: CC BY-SA 3.0

11 events
when toggle format what by license comment
Mar 15, 2018 at 22:11 answer added bdsl timeline score: 1
Oct 14, 2016 at 10:00 vote accept Peter
Oct 14, 2016 at 1:50 history edited Peter CC BY-SA 3.0
added 16 characters in body
Oct 14, 2016 at 1:23 answer added CBHacking timeline score: 4
Oct 13, 2016 at 16:46 comment added Peter Thanks, edited the post a little to clarify I'm not planning on using it haha, and I read that salts don't even need to be too random - it's likely attackers would get access to the salts if they had access to the password, so overall it makes no difference if they're hard to predict or not
Oct 13, 2016 at 16:45 history edited Peter CC BY-SA 3.0
added 62 characters in body
Oct 13, 2016 at 16:29 comment added grochmal I'll focus on just one little detail (and leave the rest for someone else), i.e. mt_rad(). The MT scheme is known to generate poor random numbers at the beginning and then generate better ones after some time. Therefore if you run this as plain PHP you will get predictable salts, yet if you use something like php-fpm then you will end with good state for the PRNG. That's bad because your scheme produces different security concerns depending on how it is used.
Oct 13, 2016 at 16:23 history edited schroeder
edited tags
Oct 13, 2016 at 16:22 comment added schroeder The question you are going to get is, "why use a custom solution instead of the standard libraries that do it right?" If you want a review of certain elements of your scheme for learning purposes, that's fine, but just know that the way you phrased your intro paragraph, you are going to get flooded with "just use bcrypt/PBKDF2".
Oct 13, 2016 at 16:13 review First posts
Oct 13, 2016 at 16:21
Oct 13, 2016 at 16:11 history asked Peter CC BY-SA 3.0