Help with storing passwords as encrypted hash

[SimeonC]

Hi There.

I'm having trouble working with triplesec, essentially what I want to do is one way encryption of a password and store it in the db. When the user tries to log in I do the same encryption but I'm getting a different encrypted string, so they aren't comparable.

Is there some way of making it such that if I encrypt with key a and data b the encrypted hash will always be the same?

Thanks in advance.

[SparkDustJoe]

TripleSec is not a good way to hash passwords (which is what you are trying to do with it). Internally, the salt used to scramble the user's entered passphrase and to generate ALL of the internal keys for encryption is random every time you run TripleSec. Also, there are 3 internal initialization vectors (or IV's) that are also completely random every time. Meaning you could encrypt the same 20 bytes over 5000 times, and every time you'll get a different resulting output, even with the same key.

For your purpose you want to use SCRYPT directly with a different random salt for each user. Store the hash output and the salt for each user and you'll be fine. SCRYPT can run on the client machine and even if an attacker gets the hash output, the damage is limited. TripleSec is not what you need for that purpose.

I vote this issue be closed.

[SimeonC]

Thanks for the explanation. I'll look into using some other crypto library.

[SparkDustJoe]

Best of luck! :)