re: PHP Security: Passwords VIEW POST

TOP OF THREAD FULL DISCUSSION
re: While there’s some good ideas here, this all sounds like a really bad idea. Bcrypt does a really good job and can be tuned to be even harder to cra...
 

And why do you make it sound like it's so easy to break AES encryptions? Is it?

 

Since the application must keep the AES key around somewhere handy, in the event of a compromise it's going to get stolen as well and then your encryption is worthless as they have the key.

From there dealing with a single layer of HMAC is pretty trivial.

code of conduct - report abuse