Is my developer’s home-brew password security right or wrong, and why?
A developer, let's call him 'Dave', insists on using home-brew scripts for password security. See Dave's proposal below.
His team spent months adopting an industry standard protocol using Bcrypt. The software and methods in that protocol are not new, and are based on tried and tested implementations that support millions of users. This protocol is a set of specifications detailing the current state of the art, software components used, and how they should be implemented. The implementation is based on a known-good implementation.
Dave argued against this protocol from day one. His reasoning was that algorithms like Bcrypt, because they are published, have greater visibility to hackers, and are more likely to be targeted for attack. He also argued that the protocol itself was too bulky and difficult to maintain, but I believe Dave's primary hangup was the fact that Bcrypt is published.
What I'm hoping to accomplish by sharing his code here, is to generate consensus on:
- Why home-brew is not a good idea, and
- What specifically is wrong with his script
/** Dave's Home-brew Hash */
// user data
$user = '';
$password = '';
// timestamp, random #
$time = date('mdYHis');
$rand = mt_rand().'\n';
// crypt
$crypt = crypt($user.$time.$rand);
// hash
function hash_it($string1, $string2) {
$pass = md5($string1);
$nt = substr($pass,0,8);
$th = substr($pass,8,8);
$ur = substr($pass,16,8);
$ps = substr($pass,24,8);
$hash = 'H'.sha1($string2.$ps.$ur.$nt.$th);
return $hash
}
$hash = hash_it($password, $crypt);
