01-06-2015, 09:44 AM
Well no, "crypto" is short for "cryptography."
By the way, your title is wrong. The hash type is not unknown in your example, it's simply nonexistent. The application you have here is simply using Twofish to encrypt each password, there's no hashing at all.
But yes, this is an absolutely terrible way to store passwords. If an attacker has access to the database they almost always also have access to the encryption key. So instead of cracking each password individually, they can simply steal the key and decrypt the entire database. It's essentially no different than storing them in plaintext.
This is why we never encrypt passwords;, we always hash them, using a password-hashing function such as bcrypt.
By the way, your title is wrong. The hash type is not unknown in your example, it's simply nonexistent. The application you have here is simply using Twofish to encrypt each password, there's no hashing at all.
But yes, this is an absolutely terrible way to store passwords. If an attacker has access to the database they almost always also have access to the encryption key. So instead of cracking each password individually, they can simply steal the key and decrypt the entire database. It's essentially no different than storing them in plaintext.
This is why we never encrypt passwords;, we always hash them, using a password-hashing function such as bcrypt.