http://arstechnica.c...sier-than-ever/
Like MD5, SHA1 was never really intended to be used as a hash for passwords. Use SHA512, bcrypt, or any of the slower hashes that take multiple passes over a string. Use salt. Use phpass rather than rolling your own: http://www.openwall.com/phpass/
Yet Another Reason Not To Use Sha1 As A Password Hash
Started by KevinM1, Dec 05 2012 10:31 AM
6 replies to this topic
#1
KevinM1
-
- Moderators
-
- 4,861 posts
Advanced Member
- LocationNew Hampshire, USA
Posted 05 December 2012 - 10:31 AM
My rarely updated, incredibly rambing, questionably informative blog || Don't go to w3schools || Using 'global' is a sign of doing it wrong
#2
Beeeeney
-
- Members
-
- 194 posts
Advanced Member
- LocationEngland!
- Age:20
Posted 05 December 2012 - 10:37 AM
I know some of those words.
#3
Hall of Famer
-
- Members
-
- 292 posts
OOP Fanboi
- LocationIthaca
Posted 05 December 2012 - 10:37 AM
Well in my script I first use md5 on the raw password, then apply sha1 on the combined username and md5'd password. Finally the new string is concatenated with salt and pepper, a sha512 function is then acted on the combined string to give a final result. The difference between pepper and salt is that the former is hard coded for each site/application, while salt is user-specific and alterable. Heres the way I did it lol:
Kinda weird isnt it?
public function encrypt($username, $password, $salt){
$config = Registry::get("config");
$pepper = $config->peppercode;
$password = md5($password);
$newpassword = sha1($username.$password);
$finalpassword = hash('sha512', $pepper.$newpassword.$salt);
return $finalpassword;
}
Kinda weird isnt it?
Edited by Hall of Famer, 05 December 2012 - 10:39 AM.
Welcome to the world of OOPHP! In a perfect script, everything is an object. You cannot be perfect, but you can approach as close as can.
#4
RobertP
-
- Members
-
- 281 posts
Advanced Member
Posted 05 December 2012 - 08:31 PM
you could just use the native crypt function..
blowfish implementation
blowfish implementation
private function encrypt($string, $salt) {
if (strlen($salt) < 21)
trigger_error('Member#encrypt: Failed due to salt length less then 21.', E_USER_ERROR);
return crypt($string, '$2y$10$' . $salt . '$');
}
Edited by RobertP, 05 December 2012 - 08:31 PM.
u tha king Pikachu2000!!
#5
Amplivyn
-
- Members
-
- 26 posts
Member
Posted 14 December 2012 - 06:14 PM
I was using sha1... must change...
Just wondering though, are there any specific PHP security books you guys recommend?
Just wondering though, are there any specific PHP security books you guys recommend?
#6
Christian F.
-
- Gurus
-
- 3,055 posts
Advanced Member
- LocationNorway
Posted 15 December 2012 - 03:00 AM
Not PHP specific, but Innocent Code is highly recommended for all web developers. Though, we're moving a bit off-topic here, so I suggest starting a new thread for this, if there isn't one already, in the right section. 
Keeping it simple.
#7
Stefany93
-
- Members
-
- 116 posts
Advanced Member
- LocationBG
- Age:19
Posted 15 December 2012 - 04:11 AM
Opencart uses SHA1 for storing passwords. I was a bit shocked when I saw that since that hashing algorithm is now obsolete.
Edited by Stefany93, 15 December 2012 - 04:12 AM.
"Never take counsel of your fears!" - Stonewall Jackson
My site - http://dyulgerova.info
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users
