Encryption method to use for remember me file?

[alberto2345]

Hello,

I'm working on a login system and I'm wanting to ask what encryption method would be the best?

I was going to stick with base64, but that alone doesnt work since decompilers online can decompile the text (I've tried and it works).

I'm looking at using TEA, but im confused about its use. It says it requires a key, so do I just make one up?

Also, if I need to make one up, I would need to store it somewhere, so doing all of this server side with a variable that contains the key be the best option?

Also, doing some research, it seems that really the only encryption that is strong that MTA has provided is TEA, since all the others can be decompiled using websites online. Am I correct on this, or am I not using them properly?

Thanks!

[John Smith]

Tea is harder to decode but (at least in mta) tea encryption can be maximum 16 character long password so it's not that hard to crack it actually. I recommend you to hash users passwords by using the hash function because it's probably the easiest safest method that you can do. The other method would be to implement your own encryption, but that might be hard to do if you're a beginner in scripting. I recommend hashing passwords.

[Noki]

Do you want to encrypt so you may decrypt at a latter date or do you want them to not be decrypted (one way)?

If you want to be able to encrypt and decrypt, use tea. If you want said data to not be decrypted, use the hash function, as John Smith said.

[alberto2345]

I think I'll go with TEA.

Doing my own tests with the hash function, I have my doubts about it.

I found a website that can decrypt all the encryption methods listed in the hash function and it was able to decrypt most of them.

I tried text like: hello

alberto

dynamite1337

and all these where decrypted with sha256.

The only onces that weren't decrypted was if I did something like dynami1337 or just spammed ksjldfuhsdfuhsdf

Obviously the website uses a dictionary to decrypt, as it says it on the website as well.

Only way is to double encrypt, so use hash to encrypt the message, then hash again to encrypt the encrypted message.

But that solution would only work on this specific website as it doesnt output what it comes up with if it doesnt find what it considers valid. But if a website did, then you could just decrypt the decrypted message again.

But, would someone who gained the password information even consider doing that if all they saw was encrypted text after trying to decrypt it? And would it even be worth doing this method?

[Noki]

Salting:

- https://crackstation.net/hashing-security.htm

- http://security.stackexchange.com/quest ... -salt-work

If you think the in-built hash functions are terrible (which they kind of are), I would recommend using the bcrypt module.

[alberto2345]

Salting:

- https://crackstation.net/hashing-security.htm

- http://security.stackexchange.com/quest ... -salt-work

If you think the in-built hash functions are terrible (which they kind of are), I would recommend using the bcrypt module.

Thanks for those links, after abit it started to make sense, was abit hard to get my head around at first

And the bcrypt module seems to have problems as it only outputs *0 every time. Someone put it as an issue on github as well, so its not just me.

Anyway, salt is the way to go, so thanks for the help everyone!