php - Can a home-brewed cryptographic hash be strong enough for storing website passwords?Get the solution ↓↓↓
I'm developing a portion of a website with user accounts and have home-brewed my own cryptographic hash algorithm for storing user passwords.
I've done as much research on the topic of cryptography as my brain will allow and I feel that I have a fairly decent understanding of how to encrypt a user's password in a pretty secure way- as far as I can tell.
I'm essentially using a salt+pepper method with a further index-hash (not sure on the naming there) and finally passed through PHP's
hash() function with
'sha512' hash option.
To extrapolate on the index-hash portion of my algorithm: essentially, each user entry has a corresponding dictionary that is randomly generated. Then, each character of the previously salt+pepper'ed password is then used as a key/index for that dictionary, concatenating each indexed value to create a mostly-uniquely encoded value. I say mostly-uniquely here because I don't verify that every user dictionary is unique since there are thousands of possible values that are selected from to create the dictionary.
To summarize the algorithm:
- salt+pepper the value
- encode (index-hash)
In my testing, the stored passwords seem to be pretty unique (have entered multiple test passwords with the same string and had very different hashes), and I'm able to verify entered passwords through the site with those stored in the database, i.e. not storing cleartext passwords and the hashed ones entered by user match those in the database.
Basically, I'd like to know, without revealing more details of the algorithm, if this is secure enough to store user passwords.
It can but the likelihood tends to 0 if you're only a beginner in cryptography. Everyone is able to devise an algorithm that they themselves cannot break. Schneier's Law (thanks r3mainer!)
It is not necessary to try and do this security by obscurity style. See Kerkhoffs' principle for more on that.
Just use one of the established and widely accepted methods of password hashing such as Argon2, scrypt, bcrypt or PBKDF2 in descending order. Always use a high work factor and a random salt per user. See How to securely hash passwords?
- Why are you developing your own crypto hash?
- Why are you trying to avoid revealing the details of the algorithm?
Both of those things are huge red flags in crypto and security, so no, your algorithm is not secure enough. No algorithm is secure enough without serious cryptanalysis by qualified professionals, and both of those things amount to not having had your homebrew hash exposed to serious cryptanalysis.
Just go with a standard algorithm please.
People are also looking for solutions of the problem: installation failed, reverting ./composer.json and ./composer.lock to their original content
Didn't find the answer?
Our community is visited by hundreds of web development professionals every day. Ask your question and get a quick answer for free.
Find the answer in similar questions on our website.
Write quick answer
Do you know the answer to this question? Write a quick response to it. With your help, we will make our community stronger.