The author tries to trick you into believing it is secure by including a salt. However the resulting key space of the "hash" gives you the same security as a 5-6 character alphanumeric password. A motivated attacker could enumerate all possibilities in a few hours.
You could use that argument to say 4-digit bank card PINs are really bad security - and you'd be right, except that they're always locked out after N attempts.
Why not the same approach here? if you try to brute force a password reset, you lock out further attempts for a few minutes.
oh no ... I am unable to change my (perfectly secure) password for ten minutes because an attacker is attempting to brute force my password reset. I'd regard that as a feature, not a bug.
Interesting. Effectively it's base62 encoding with a fixed salt. I think saying "encrypt" and "decrypt" is sort of misleading, even though you call the non-cryptographic nature of the hashing in the README files.
For my own products I do something a little different. Instead, when I create a record I generate a random number (with Ruby's SecureRandom module) and store the base32 encoding in the database. With the universe set at 1bil, this reliably generates a random 6 character string that I can safely show to the customer.
You're storing 6-char base-32 values, so 1073741824 possibilities, but you've got 50-50 chance of collision after 38582 values - that's not a lot, the birthday paradox bites again! Using much larger random values or hashes gives you a better safety margin.
> this reliably generates a random 6 character string that I can safely show to the customer
Are you sure about that? You might want to consider a smaller alphabet, with vowels and ambiguous letters/numerals (0/O, 1/l/I) omitted. That has two advantages: you won't accidentally generate an identifier containing meaningful words (notably profanity), and the identifiers become easier to unambiguously transcribe and interpret. And you'll still reliably get a 6-character identifier as long as you have at least 32 symbols to use.
That's a fair point. So far there hasn't been any transcribing necessary because I have the customers reply to their receipt emails if they have a problem, but that's definitely something to consider if you have to do phone support.
It's also useful for anything where they might retype the string. (Even if you tell them to copy/paste, some people will still retype.) Not that this necessarily applies to you, but for others considering similar schemes, avoiding I/1/l and such can be really handy.
>> A true cryptographic hash cannot be decrypted. However, to keep things simple the word hash is used loosely to refer to the random set of characters that is generated -- like a YouTube hash.
I've used the Blowfish cipher to obfuscate database IDs into youtube-like URLs. Blowfish has a small 64-bit blocksize which fits nicely into a base64'd URL param.
I recently tried using this for a project but ended up switching. I don't really need the encryption ability. More of an issue though is that there is no way to force that the hashes are "short". If you use their example for hashing the default _id in Mongo, you'll end up with a fairly long hash. The only way I could get them short was to switch to an auto-increment starting at 1 and then they will remain short for as long as the number is small. This presented other issues and in the end I found ShortId [1] which made the whole process much simpler.
I mocked up something similar [1] a while ago, although operating on fixed-length integers instead of db keys and not designed with any regard for the "decryption" process. I'm curious if it's flawed in any significant way for the purpose of converting sequential ids into apparently-random distinct ids.
I've been using this for a while now and I'm pretty happy with it. Java implementation of Crockford's Base32 algorithm for encoding simple numeric values:
You still need to remove '5' and 'S'. I'd like a to see people use similar algorithms for mobile input. The two most important characteristics would be to be purely lowercase and to cluster numbers and letters to minimize keyboard switching.
Please don't.
The author tries to trick you into believing it is secure by including a salt. However the resulting key space of the "hash" gives you the same security as a 5-6 character alphanumeric password. A motivated attacker could enumerate all possibilities in a few hours.