I'm developing a portion of a website with user accounts and have home-brewed my own cryptographic hash algorithm for storing user passwords.
I've done as much research on the topic of cryptography as my brain will allow and I feel that I have a fairly decent understanding of how to encrypt a user's password in a pretty secure way- as far as I can tell.
I'm essentially using a salt+pepper method with a further index-hash (not sure on the naming there) and finally passed through PHP's hash()
function with 'sha512'
hash option.
To extrapolate on the index-hash portion of my algorithm: essentially, each user entry has a corresponding dictionary that is randomly generated. Then, each character of the previously salt+pepper'ed password is then used as a key/index for that dictionary, concatenating each indexed value to create a mostly-uniquely encoded value. I say mostly-uniquely here because I don't verify that every user dictionary is unique since there are thousands of possible values that are selected from to create the dictionary.
To summarize the algorithm:
- salt+pepper the value
- encode (index-hash)
- PHP
hash('sha512', $value)
In my testing, the stored passwords seem to be pretty unique (have entered multiple test passwords with the same string and had very different hashes), and I'm able to verify entered passwords through the site with those stored in the database, i.e. not storing cleartext passwords and the hashed ones entered by user match those in the database.
Basically, I'd like to know, without revealing more details of the algorithm, if this is secure enough to store user passwords.
question from:
https://stackoverflow.com/questions/66054778/can-a-home-brewed-cryptographic-hash-be-strong-enough-for-storing-website-passwo 与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…