Jump to content

sarciszewski

Members
  • Posts

    11
  • Joined

  • Last visited

Everything posted by sarciszewski

  1. If it helps to shed some light on the different terms and concepts involved in cryptography, we did publish a blog post explaining this in detail. https://paragonie.com/blog/2015/08/you-wouldnt-base64-a-password-cryptography-decoded
  2. Using cypt() is at best suboptimal. You're better off using password_hash() and password_verify(). "However i use that one amongst with SHA1, MD5 and 4-5 different custom-made salt functions that will randomly throw the letters and numbers and signs around to make sure they are very well shaken and ready to be used as an password" Have you never heard the words "don't roll your own crypto" before? This is a bad idea!
  3. I'm not sure that's much comfort. Most people link to the w3schools website and not the forum, so I'd wager (heuristically) that more people read the misinformative PHP documentation than the forums where people point out inaccuracies that Refsnes Data ignores.
  4. I've also emailed them and used the form at the bottom of the page. There's no way they haven't been informed by now.
  5. First, you need to call session_start() before any HTML tags (or even whitespace) is printed out. <!DOCTYPE html><?php session_start(); ...needs to look like... <?php session_start();// ... other code here ...?><!DOCTYPE html> Very important: You're storing your password in plaintext. Don't do that. See password_hash() and password_verify(). I see that you're using mysqli_real_escape_string(). This is a mistake. The proper way to prevent SQL injection is to use prepared statements, not to escape input. Reference: https://secure.php.net/manual/en/mysqli.prepare.php
  6. Interesting. On one hand, you say they seem to listen to suggestions. But on balance, they generally ignore the community and so far have not addressed the inaccuracies I brought to their attention. At this point I'm not sure if I would be wasting my time trying to improve their documentation.
  7. This is disheartening. I wonder if the folks at w3fools would enjoy this infromation more (assuming they haven't already listed it as a grievance)? At the very least, they'd probably act on it if I informed them of it.
  8. Understood. I've reported an error on the page and referenced this topic. I originally did not see this link (thank you for informing me about it), I will be sure to make use of it. Do any of the W3Schools staff frequent the forums? Would posting here be a good way to engage both the community as well as the administration, or is there a better strategy I should pursue? Maybe these aren't easy questions to answer, but any insight you have to offer as a moderator would be invaluable for plotting the course ahead.
  9. My edit pertained to the origins of crypt(3), my computer history isn't great From the PHP manual page: Their terminology is correct, actually. It's just w3schools that muddies the water between new developers and understanding this particular nuance of cryptography. Don't feel bad, though, I just spent the past few months cleaning up a lot of the PHP questions and answers on Stack Overflow. My employer offers B2B technology consulting, but we also care very much about moving the needle towards other developers being secure by default, both in terms of their tools and frameworks but also in terms of the habits they adopt. Even if teaching other developers to write better and more secure code doesn't have a positive ROI for us. A lot of programmers seem to learn from w3schools when they're first starting out. That's why I'm even bringing this up at all rather than letting sleeping dogs lie. I hope these corrections are not taken as a sign of disrespect; few people have the knowledge or years of experience to understand the nuance of cryptology and, while I don't hold not understanding these details against anyone, I'm trying to make better knowledge more common.
  10. Nope. It's a one-way cryptography function, not a one-way encryption function. Encryption is the art of rendering a message unreadable to everyone who does not possess a secret key. Encryption is, by definition, reversible. Hashing is, by definition, one-way. Cryptography doesn't imply encryption, it can mean any of the following: EncryptionBlock Ciphers Stream Ciphers Elementary ciphers (substitution, transposition, etc.) [*]Authentication Hash functions, HMAC, etc. Password hashing functions CMAC, Poly1305, GCM, etc. [*]Key Exchange Diffie Hellman, Elliptic Curve Diffie Hellman[*]Digital Signatures RSA, DSA, ECDSA, EdDSA[*]Public Key Infrastructure[*]Cryptographic Side Channels Padding oracle attacks (RSA-PKCS1, etc.) String comparison timing attacks Cache-timing attacks Fault-based side-channels ...and so much more. There isn't a reputable cryptography engineer alive who would say that EdDSA is an encryption algorithm with a straight face. It's just as incorrect to say that a hash function is a form of encryption too.
  11. I've been fighting an uphill battle with new developers who don't understand the difference between hashing and encryption, and I believe correcting this w3schools article will help dramatically. http://www.w3schools.com/php/func_string_crypt.asp If we want this article to be accurate, every instance where this article refers to crypt() as an encryption feature needs to be rewritten to say "password hashing" (or simply hashing). Despite its name, crypt() is ported from AT&T Unix v6's crypt(3) function, which was meant for one-way password hashing. See: https://www.freebsd.org/cgi/man.cgi?query=crypt%283%29
×
×
  • Create New...