Mobile app version of vmapp.org
Login or Join
Kevin317

: MCrypt Module, Rijndael-256 An outside company is redoing our company Intranet. During some basic usage I disovered that the "User Edit" screens, with the "Password: *" boxes have the password

@Kevin317

Posted in: #Intranet #Php #Security

An outside company is redoing our company Intranet. During some basic usage I disovered that the "User Edit" screens, with the "Password: *" boxes have the password in plain text, with the text box "type=password" to "hide" the password.


The passwords are not store in the database as plain text, they are stored encrypted using "rijndael-256" cypher using the mcrypt module.


I know that if I encrypt a password with SHA*, the password is "Unrecoverable" via one-way encryption. Is the same of MCrypt Rijndael-256 encryption? Shouldn't an encrypted password be un-recoverable? Are they blowing smoke up my rear or just using the wrong technology?

10.01% popularity Vote Up Vote Down


Login to follow query

More posts by @Kevin317

1 Comments

Sorted by latest first Latest Oldest Best

 

@Looi9037786

SHA* or MD5 are not encryption. They generate hashes. Hashes are one way, in that once you have something it is unrecoverable (unless you have a known value associated with a known hash). Hashes are ok for non-critical passwords.

You may recall recent news where LinkedIn had a number of accounts stolen. Attackers got a copy of their user table. Their passwords were stored as hashes and using a huge look up tables of all possible values of a type hash, attackers were able to get login credentials for users.

Encryption is the process of using specific mathematical algorithms to turn the data in to 'useless', unintelligible data. Encryption is designed to be reversible. Encryption uses a 'key' to perform the encryption/decryption and as long as you possess that key you can decrypt the encrypted information. If you dispose of/lose the key, the data is useless. In this way, an attacker would need both your data and your encryption key (or alot of time and a sufficiently large number of processors) for the data to be usable.

In short, Encryption is reversible provided you have the key and is preferable to hashing.

10% popularity Vote Up Vote Down


Back to top | Use Dark Theme