Hello!
Sorry if this is a question that is difficult to answer but I don't know where else to turn for help.
I am developing an online game. It will have a database with potentially thousands of passwords, email addresses and usernames...
I want to do everything possible to keep this data secure, by using both encrypted communications and making sure that our database is secure from theft and hacking.
I have read up on password salting on google but every page usually just says add a salt to protect from rainbow tables. Many of these articles are old and out of date.
I am smart. I know that MD5s can be brute forced. I know that even if I salt my passwords, those salts can be reversed because apparently a large percentage of my passwords are going to be very weak. It is not too much more work to run a rainbow table or a brute force hash on the password "password" and find out what salt i am using. If my salts are dynamic then they can use multiple results for "password" and figure out my algorithm.
So, as I look into the future and try to come up with a real secure way to protect this user data, does anybody have any good links to read up on this?
My best solution right now is to generate a salt by taking random characters from the username and email address in a unique and reproducible way. Then I will take the salt and the password and hash them together. Then I will take that MD5 and hash it with the current date as well as a special password that only I know. Then store THAT in the data base, along with the date of last access. Every time the user logs in, the hash is recalculated by unencrypting the MD5 and reincrypting it with today's date.
Will this even add a good amount of protection or is there still a really easy way to get to the user data? Should i just use something different than MD5? Again... any links or leads to more info would be greatly appreciated.