PHP - Using a one-time pad to store encrypted passwords
Question
Given that a one time pad is unbreakable (to the best of my knowledge, please feel free to correct me), if I were to generate a pad, and use this same exact pad to encrypt passwords for a website when a user is created and store the encrypted password in my database, is this a safe method? In other words, is it ok to keep this same pad forever as long as no one ever sees what the pad is?
Should I instead use something like mcrypt?
2 answers
solution1
3 2013-10-08 19:26:07
What you would do with the one-time pad is encrypting the password. Encrypting passwords is not optimal, because however you do it, you will be able to decrypt the password. Your application itself must have access to the key (or the keys since every one-time pad can only encrypt a single password), so can do an attacker if he has enough privileges.
That's why we use hash functions to store passwords, they are one-way, you can check if an entered password results in the same hash, but you cannot get the original password back. PHP offers the function password_hash() to generate such hash-values, it handles all the pitfalls with generating random salts and uses the slow BCrypt to hash passwords.
solution2
1 ACCPTED 2013-10-08 19:47:27
The "one time" in one time page means that a given key is only used to encrypt a single plaintext. In other words, you have a separate pad for each item you need to encrypt. That's the thing that makes them unbreakable. Since those separate pads have to be stored somewhere, you are vulnerable. Instead, use a widely used and tested library (such as mcrypt) and encrypt your passwords using a salt
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.