Use name as the initialization vector to encrypt passwords for users

troubleddev

3/14/24, 3:05 AM

I'm using AES-256-CBC to encrypt password for a set of users, and for each user in the database we gotta generate and store the password in the database. The database has constraint that the name of the user must be unique, so I was wondering if using the name of the person as the initialization vector was okay, because names are sufficiently random for a cryptographic perspective, if I encode it to hex and use the 16 bytes for the IV would it be okay. This would give me one less thing to store in the database.

1 + 0

aes

passwords

initialization-vector

password-hashing

Score:2

Crypto

DannyNiu

3/14/24, 5:11 AM

encrypt password for a set of users

You should hash the password for users instead of encrypting them, rarely does an application need to recover the password for any purpose.

PHP has password_hash and password_verify functions that replaces the crypt function that provides password hashing functionality, and it's broadly interoperable with other implementations of SHA-256/512, BCrypt, Argon password hashing algorithms.

Your specific environment may ship with its own implementations. Python has PassLib.

+ 5

troubleddev

3/14/24, 6:23 AM

for my usecase, I need to encrypt the password, and because i need to decrypt it later, please do tell me if using the unique username is okay

DannyNiu

3/14/24, 8:21 AM

@troubleddev You do realize AES has a blocksize of 128 bits do you? Then how are you suppose to encrypt passwords shorter than 16 octets using the CBC mode?

troubleddev

3/14/24, 8:26 AM

would concatenate by repeatition of the same value e.g. `appleappleapple` for a sufficiently long key not suitable?

DannyNiu

3/14/24, 8:35 AM

@troubleddev All these just show that you're not fully informed to make security-related decisions. Let your employer hire a specialist if you haven't already, and involve him in the entire process.

Amit

3/14/24, 5:09 PM

@troubleddev -- you may think you need to decrypt the password for example because you need to check the password history. Many systems don't allow changing a password to one that's too similar. There are ways however to accomplish this without storing the password itself.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Use name as the initialization vector to encrypt passwords for users

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.