Timeline for What's good/bad about this custom password hashing?
Current License: CC BY-SA 3.0
11 events
when toggle format | what | by | license | comment | |
---|---|---|---|---|---|
Mar 15, 2018 at 22:11 | answer | added | bdsl | timeline score: 1 | |
Oct 14, 2016 at 10:00 | vote | accept | Peter | ||
Oct 14, 2016 at 1:50 | history | edited | Peter | CC BY-SA 3.0 |
added 16 characters in body
|
Oct 14, 2016 at 1:23 | answer | added | CBHacking | timeline score: 4 | |
Oct 13, 2016 at 16:46 | comment | added | Peter | Thanks, edited the post a little to clarify I'm not planning on using it haha, and I read that salts don't even need to be too random - it's likely attackers would get access to the salts if they had access to the password, so overall it makes no difference if they're hard to predict or not | |
Oct 13, 2016 at 16:45 | history | edited | Peter | CC BY-SA 3.0 |
added 62 characters in body
|
Oct 13, 2016 at 16:29 | comment | added | grochmal |
I'll focus on just one little detail (and leave the rest for someone else), i.e. mt_rad() . The MT scheme is known to generate poor random numbers at the beginning and then generate better ones after some time. Therefore if you run this as plain PHP you will get predictable salts, yet if you use something like php-fpm then you will end with good state for the PRNG. That's bad because your scheme produces different security concerns depending on how it is used.
|
|
Oct 13, 2016 at 16:23 | history | edited | schroeder♦ |
edited tags
|
|
Oct 13, 2016 at 16:22 | comment | added | schroeder♦ |
The question you are going to get is, "why use a custom solution instead of the standard libraries that do it right?" If you want a review of certain elements of your scheme for learning purposes, that's fine, but just know that the way you phrased your intro paragraph, you are going to get flooded with "just use bcrypt/PBKDF2 ".
|
|
Oct 13, 2016 at 16:13 | review | First posts | |||
Oct 13, 2016 at 16:21 | |||||
Oct 13, 2016 at 16:11 | history | asked | Peter | CC BY-SA 3.0 |