How secure is this?

[waynewex]

Anyone who is a bit more knowledgeable on password hasing; please give me feedback on how secure this is. Thanks.

 

<?php

function pass_hash($original){
    
     $pass = sha1($original);
     $pass = sha1("hsyens!".$pass."jhjs23!jh");
     $pass = $pass.$pass;
     $pass = sha1($pass);

     return $pass;

}

?> 

 

 

[ratcateme]

yea i think that looks robust but remember sha1 is unreversable so if you are going to try crack it you would properly try a brute force attack so adding

     $pass = sha1("hsyens!".$pass."jhjs23!jh");
     $pass = $pass.$pass;
     $pass = sha1($pass);

might end up with the same hash as "a" or the same has as "asdasd" just adding some random stuff like "jhjs23" to the original password should secure it providing your source is secure and no one else is going to find out your method

 

Scott.

[waynewex]

Cheers Scot! 

[JonnoTheDev]

It depends on how you are using this.

Are you encrypting passwords to store in a database? If you are using a form to authenticate users i.e. username and password then taking the password value, running it through your function and comparing it to a database value to authenticate then there is still an element of insecurity. Because POST requests are made in name=>value pairs in clear text the password that a user types in can be intercepted before it gets to the server via a packet sniffer. The most secure way is to encrypt the password on the client side before it is sent to the server.

 

Take a look at http://pajhome.org.uk/crypt/md5/

 

This uses MD5 encryption

[LemonInflux]

To be honest, any salt hash isn't absolutely secure. The only thing that makes md5($pass) less secure than md5($pass .'1@$@$^#UTGJAAV'); is the amount of already 'cracked' md5 hashes.

 

----------------

Now playing: Red Hot Chili Peppers - Breaking The Girl

via FoxyTunes

[waynewex]

Client side? As in Javascript?

[MFHJoe]

Client side? As in Javascript?

I think he does mean JavaScript. Only problem with doing it like that is is, if the user has JavaScript turned off, it'll mess up the whole system.

[waynewex]

I was thinking that. Also:

 

Over the web, JS cryptography can only protect against passive eavesdropping, as the JavaScript itself is downloaded over an insecure link. If an attacker can modify network traffic, they can make malicious changes to the JavaScript code.

 

In any case, JS interpreters are not designed for secure programming. They may leave sensitive information lying about in memory. They're too slow for some algorithms, e.g. BSD-style MD5 passwords, or RSA with full-size keys. Bitwise operations are buggy in several implementations.

 

I suppose that it can help though. No JS would be a major problem.

[JonnoTheDev]

If a user has javascript turned off then the value will not be encrypted and then never match up to any encrypted stored password anyway so they would never be able to authenticate. You can also detect this behaviour in your application anyway using <noscript> tags

[JonnoTheDev]

If it is the case that this is for website authentication and you are not confident that the above would help then purchase and install an SSL certificate. Users passwords can still go through your function and marry up to database stored versions.

[waynewex]

I suppose that you could write the HTML for the form with JavaScript and then display "You need JavaScript" with <noscript>. Although that's still open to manipulation. How much does SSL cost?

[MFHJoe]

How much does SSL cost?

Depends who you buy it with. A big company (Verisign for example) costs about $900 apparently a year. Other less known registrars can be quite a lot cheaper.

[waynewex]

Btw, it's for an admin login section. I'm expecting the login section to come under some slight pressure from others if you know what I mean. Although the folders are protected with index.php redirects back to the homepage, I'm still a bit iffy about it all.

[JonnoTheDev]

This depends on the type of certificate. Obviously the most expensive offer the highest protection and are probably way beyond your needs. Go to godaddy.com or someone similar. UK price is about £40 for a cert and we use to protect payment details, etc on websites without any issue.

[waynewex]

I've been using the free edition of Acunetix (xss only) and I might start experimenting with Wireshark. Damn security costs money. Knowledge isn't enough.

[JonnoTheDev]

I would put the initial login form then behind an .htpasswd (if linux)

[waynewex]

Yea, I'll probably need to do that.

 

Is there any vulnerability scanners out there that are good, free and pretty easy to use?