1

I'm not very familiar with encryption and new to this, I'm just learning it right now by code review of one of the class we have in an application to encrypt a password using AES. Would anyone explain to me why do we need to have salt and RFC.

Example Snippets: passing parameters compose of input, salt and rfc string.

public static string AesEncrypt(string input, string salt, string rfcpassword)
{
  //code here...
}
rpm07
  • 111
  • 3
  • Do you know what that "rfc" stands for? –  Dec 04 '14 at 02:31
  • that's the thing I don't know :) – rpm07 Dec 04 '14 at 02:39
  • It would help to see more code, but it's probably the encryption key – atk Dec 04 '14 at 03:44
  • Do not encrypt passwords. Hash them. Read this: https://crackstation.net/hashing-security.htm RFCs are "Requests for Comments," the standards documents of the Internet. http://en.wikipedia.org/wiki/Request_for_Comments – Bob Brown Dec 04 '14 at 04:21
  • @BobBrown why should I not encrypt passwords? – rpm07 Dec 04 '14 at 04:49
  • Because encryption is reversible and creates an unnecessary security exposure. (Really... go read the Crackstation article.) – Bob Brown Dec 04 '14 at 04:55
  • 1
    Could "salt" be the IV named by someone who doesn't know what an IV is? – cpast Dec 04 '14 at 06:14
  • @cpast: That's a better guess than I have. I really would like to know where that declaration came from in order to guess whether it might be good for anything. – Bob Brown Dec 04 '14 at 12:58
  • @BobBrown there are a few legitimate reasons for encrypting passwords, and a blanket answer of "you never should" is rarely an accurate response. – Desthro Dec 04 '14 at 15:23
  • @Desthro: Of course one encrypt could one's *own* passwords for safe storage, as with a password manager program. I can't think of any reason why someone running a system that requires a password to log in should encrypt rather than hash, and I'd be happy to hear a counter-example. – Bob Brown Dec 04 '14 at 16:47

0 Answers0