Try designing a system that can't be exploited and must rely on its algorithm's correctness such that only a brute force solution exists.
Few algorithms are correct such that their computational complexity alone is what provides their security. Without a formal proof, an audit and some testimony of experts I will not believe your hand-rolled algorithm is correct.
This is why you rely on proven algorithms and implementations and never roll your own. But you should not believe that using a correct algorithm alone should be enough to deem a system secure.
Its implementation might be exploitable in a way that sidesteps the security provided by your algorithm.
The idea that it might take an attacker five billion years to brute force your cipher text for a solution is nice, but if you're exchanging keys in an insecure way then that security goes right out the window.
Storing your salt on the same DB? Your search time for a solution is cut down since you can grab that as well.
This is why emphasis is placed on tearing apart a system that claims it is secure. Most of the time it isn't, and usually in ways that are easily identifiable.
Having good faith in the developer isn't an ideal when the well-being of many people might be at stake because of claims that cannot be backed up.
Few algorithms are correct such that their computational complexity alone is what provides their security. Without a formal proof, an audit and some testimony of experts I will not believe your hand-rolled algorithm is correct.
This is why you rely on proven algorithms and implementations and never roll your own. But you should not believe that using a correct algorithm alone should be enough to deem a system secure.
Its implementation might be exploitable in a way that sidesteps the security provided by your algorithm.
The idea that it might take an attacker five billion years to brute force your cipher text for a solution is nice, but if you're exchanging keys in an insecure way then that security goes right out the window.
Storing your salt on the same DB? Your search time for a solution is cut down since you can grab that as well.
This is why emphasis is placed on tearing apart a system that claims it is secure. Most of the time it isn't, and usually in ways that are easily identifiable.
Having good faith in the developer isn't an ideal when the well-being of many people might be at stake because of claims that cannot be backed up.