Have a good look at the values you’re dealing with. The random salt generated will be, say: abcdefg… What is fed into crypt looks like this: crypt($password, ‘$2y$10$abcdefg…’) | | | | | +- the salt | +- the cost parameter +- the algorithm type The result looks like: $2y$10$abcdefg…123456789… | | | | | … Read more
OpenSSL uses the function EVP_BytesToKey. You can find the call to it in apps/enc.c. The enc utility used to use the MD5 digest by default in the Key Derivation Algorithm (KDF) if you didn’t specify a different digest with the -md argument. Now it uses SHA-256 by default. Here’s a working example using MD5: #include … Read more
Before you read the code, keep in mind that the Fake Registration block would not be in your code, but it is necessary to show you this, end-to-end. <?php session_start(); // Begin Vault // credentials from a secure Vault, not hard-coded $servername=”localhost”; $dbname=”login_system”; $username=”dbUserName”; $password=”dbPassword”; // End Vault // The following two variables would come … Read more
How about taking another approach or angle at this problem? Ask why the password is required to be in plaintext: if it’s so that the user can retrieve the password, then strictly speaking you don’t really need to retrieve the password they set (they don’t remember what it is anyway), you need to be able … Read more