This is something for the true geeks…
I’ve recently been upgrading my website (dafos.be) to be friendly for
mobile devices (using the “Bootstrap” library, if you’re into that sort of thing) and came across a trick I used to make a secured area for customers. It’s secure enough to stop anyone except a really dedicated hacker who actually breaks into my account, yet didn’t cost me an arm and a leg in high-security software to implement.
The problem with most cheap solutions you find on the hinderwebs is that they store the usernames and passwords as plain text inside the code that’s loaded with the page. It takes no more than “show source” in a web-browser to get a list of the users and passwords on that particular website.
So, I applied a bit of a trick used in my data modem days (remember those funny warbling sounds going over the telephone?) – a “scrambler” would be used to break up repetitive sequences of data that could cause the modem to essentially get it gloriously “wrong” and drop out. By similarly scrambling up usernames and passwords, they can be stored in an encrypted form. By doing the same scrambling when the user enters a name and password and looking for the same scrambled sequence in a list, a valid user can be identified while those absolute cads who’d want to break in to my website and steal my customers’ photos have a harder time.
I’d need a real cryptologist to check this, but I suspect that the scrambler I used is non-reversible (can’t run it backwards to get the original user/password out of it) which means that even if someone does look at the page source and figures out how it works, they still couldn’t recover valid user-names and passwords.
In fact, I suspect that the same crypto-expert would object to the term “Scrambler” and would probably choose “Hash” instead!