If you cannot prove that your own encryption approach is stronger than, for example, sha256
then it’s 100% bad practice because you’re making your system less secure than it could easily be.
Don’t underestimate the expertise of talented mathematicians, hackers, reverse engineers and so on. They have a lot of strategies at their disposal to break encryption.
Let’s use an example to show how a seemingly strong encryption approach can easily be defeated if you have some experience in the field.
A naive encryption algorithm would be to XOR your input message with a random binary string. How could you possibly decrypt such a message? Let’s say your message to encrypt is hey
which is 01101000 01100101 01111001
in binary and the random binary string you use to XOR it is 10001101 00011110 10110101
. Your encrypted message would become:
01101000 01100101 01111001 (hey)
10001101 00011110 10110101 ⊕ (yourKey)
-------------------------------
= 11100101 01111011 11001100 (hey ⊕ yourKey)
Pretty strong right? Well… only until you encrypt a second message using this approach, because with some simple math you can cancel out two XOR operators. Let’s encrypt you
using the same method.
01111001 01101111 01110101 (you)
10001101 00011110 10110101 ⊕ (yourKey)
-------------------------------
= 11110100 01110001 11000000 (you ⊕ yourKey)
If we XOR these two encrypted messages, we get hey ⊕ yourKey ⊕ you ⊕ yourKey
where ‘yourKey’ is the binary string we use during encryption. Applying XOR on two identical variables cancels those out, so this simplifies the formula to hey ⊕ you
. Now if you XOR that with you
you get hey
back (uh-oh!):
11100101 01111011 11001100 (hey ⊕ yourKey)
11110100 01110001 11000000 ⊕ (you ⊕ yourKey)
-------------------------------
= 00010001 00001010 00001100 (hey ⊕ you)
00010001 00001010 00001100 (hey ⊕ you)
01111001 01101111 01110101 ⊕ (you)
-------------------------------
= 01101000 01100101 01111001 (hey)
There are a lot of other common pitfalls, like using a Caesar cipher to encrypt your data which can be decrypted by a computer within seconds. There’s 0 reason to not just use open source encryption methods which have been mathematically proven to be strong.
If you’re just doing this for fun however, it’s all fine. But if you’re going to store sensitive information please just look up industry standard encryption algorithms to use.