troyhunt

Untitled

Jun 30th, 2016
457
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. Allow me to give you some friendly advice, I do hope you take this constructively.
  2.  
  3. What you're doing here is not encryption, it's known as a Caesar cipher which is merely character substitution. You're then encoding it with Base64 which can be easily decoded.
  4.  
  5. The problem with character substitution is that as soon as you work out which characters are substituted with which other characters, the entire "encryption" scheme comes undone. You could easily derive this by looking out the output of your function after it's applied to a number of passwords, for example if the "encrypted" passwords were leaked. You could also easily derive it if you were able to observe both the input and the output of a single string, for example if someone found a SQL injection risk in the site and could observe the "encrypted" version of their password.
  6.  
  7. For guidance on password storage, I suggest you refer to OWASP's Password Storage Cheat Sheet: https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet
  8.  
  9. Incidentally, the keys you've used in the encrypt and decrypt functions are also different by one character which will cause the "decryption" to fail on some characters.
RAW Paste Data