Jump to content


Photo

Yet Another Reason Not To Use Sha1 As A Password Hash


  • Please log in to reply
6 replies to this topic

#1 KevinM1

KevinM1

    Snarkimus Prime

  • Moderators
  • 5,189 posts
  • LocationNew Hampshire, USA

Posted 05 December 2012 - 10:31 AM

http://arstechnica.c...sier-than-ever/

Like MD5, SHA1 was never really intended to be used as a hash for passwords. Use SHA512, bcrypt, or any of the slower hashes that take multiple passes over a string. Use salt. Use phpass rather than rolling your own: http://www.openwall.com/phpass/

#2 Beeeeney

Beeeeney

    Advanced Member

  • Members
  • PipPipPip
  • 194 posts
  • LocationEngland!
  • Age:20

Posted 05 December 2012 - 10:37 AM

I know some of those words.

#3 Hall of Famer

Hall of Famer

    OOP Fanboi

  • Members
  • PipPipPip
  • 315 posts
  • LocationIthaca

Posted 05 December 2012 - 10:37 AM

Well in my script I first use md5 on the raw password, then apply sha1 on the combined username and md5'd password. Finally the new string is concatenated with salt and pepper, a sha512 function is then acted on the combined string to give a final result. The difference between pepper and salt is that the former is hard coded for each site/application, while salt is user-specific and alterable. Heres the way I did it lol:

public function encrypt($username, $password, $salt){
$config = Registry::get("config");
$pepper = $config->peppercode;
$password = md5($password);
$newpassword = sha1($username.$password);
$finalpassword = hash('sha512', $pepper.$newpassword.$salt);
return $finalpassword;
}

Kinda weird isnt it?

Edited by Hall of Famer, 05 December 2012 - 10:39 AM.

Welcome to the world of OOPHP! In a perfect script, everything is an object. You cannot be perfect, but you can approach as close as can.

zog841.jpg


#4 RobertP

RobertP

    Advanced Member

  • Members
  • PipPipPip
  • 288 posts

Posted 05 December 2012 - 08:31 PM

you could just use the native crypt function..

blowfish implementation
    private function encrypt($string, $salt) {
        if (strlen($salt) < 21)
            trigger_error('Member#encrypt: Failed due to salt length less then 21.', E_USER_ERROR);
        return crypt($string, '$2y$10$' . $salt . '$');
    }

Edited by RobertP, 05 December 2012 - 08:31 PM.

u tha king Pikachu2000!!

#5 Amplivyn

Amplivyn

    Member

  • Members
  • PipPip
  • 26 posts

Posted 14 December 2012 - 06:14 PM

I was using sha1... must change...

Just wondering though, are there any specific PHP security books you guys recommend?

#6 Christian F.

Christian F.

    Advanced Member

  • Staff Alumni
  • 3,106 posts
  • LocationNorway

Posted 15 December 2012 - 03:00 AM

Not PHP specific, but Innocent Code is highly recommended for all web developers. Though, we're moving a bit off-topic here, so I suggest starting a new thread for this, if there isn't one already, in the right section. ;)
Keeping it simple.

#7 Stefany93

Stefany93

    Advanced Member

  • Members
  • PipPipPip
  • 167 posts
  • Age:20

Posted 15 December 2012 - 04:11 AM

Opencart uses SHA1 for storing passwords. I was a bit shocked when I saw that since that hashing algorithm is now obsolete.

Edited by Stefany93, 15 December 2012 - 04:12 AM.

"Never take counsel of your fears!" - Stonewall Jackson
My site - http://dyulgerova.info





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Cheap Linux VPS from $5
SSD Storage, 30 day Guarantee
1 TB of BW, 100% Network Uptime

AlphaBit.com