Off Topic > Drama
RBL - Ephialtes
DrenDran:
Also, do note that cucumberdude cannot prove he added encryption.
DontCare4Free:
Please note the difference between encrypting and hashing. With encryption you use a key which can then be used to reverse the action, while hashing is keyless and irreversible (except for rainbows/brute force).
Also, the serverside snippet that cucumber sent still assumed that passwords were stored serverside.
On a completely unrelated note, I think it would be interesting to see the security of storing the password as a known value (user id/username/email/registration date/you name it) encrypted using the password as a key. That way you could check if it decrypts correctly without storing the password directly.
On another unrelated note, cucumber, have you ever heard of OpenID?
Deathwishez:
--- Quote from: DrenDran on March 11, 2011, 08:20:04 AM ---Also, do note that cucumberdude cannot prove he added encryption.
--- End quote ---
And how exactly would he?
DontCare4Free:
--- Quote from: Deathwishez on March 11, 2011, 03:53:16 PM ---And how exactly would he?
--- End quote ---
It's impossible.
cucumberdude:
Encryption serverside cannot be proved.
Clientside encryption could be, but clientside encryption is pointless (assuming I'm not running some hurrdurr password collecting scam) because anybody who intercepted the password between the client and server would as good as have the password.
--- Quote from: DontCare4Free on March 11, 2011, 10:43:09 AM ---Please note the difference between encrypting and hashing. With encryption you use a key which can then be used to reverse the action, while hashing is keyless and irreversible (except for rainbows/brute force).
Also, the serverside snippet that cucumber sent still assumed that passwords were stored serverside.
--- End quote ---
Interesting, I didn't know that. Subtle difference. I have used AES in previous projects, so I'm used to saying 'encrypted'.
--- Quote from: DontCare4Free on March 11, 2011, 10:43:09 AM ---On a completely unrelated note, I think it would be interesting to see the security of storing the password as a known value (user id/username/email/registration date/you name it) encrypted using the password as a key. That way you could check if it decrypts correctly without storing the password directly.
--- End quote ---
So, using the password as a seed? I'm not really sure what the advantage would be, if the user wanted password recovery it would still be impossible.
--- Quote from: DontCare4Free on March 11, 2011, 10:43:09 AM ---On another unrelated note, cucumber, have you ever heard of OpenID?
--- End quote ---
Vaguely. Is it that global internet ID thing? I didn't think it was really all that widely used.