[SOLVED] going about hash+salt

[taichimasta]

Question:

I'm trying to go about protecting my database in which i will be us a hash and salt , thing is how would i go about it ?

 

2nd Question

I read never save the password/hash into the database is that even possible when you have users who need to login lol?

 

 

 

Hope everyone understands the question(s).

 

3rd Question

 

I'm trying to make my database clear or set a query 30min or 2months is there any functions that i could write to have that done?

 

 

 

[xtopolis]

1) A hash + salt is simply something like

<?php
$salt = '12c32df'; //random value, or word, or w/e ##BUT ONCE CREATED, DONT CHANGE
//^-- USUALLY STORED IN A CONFIG FILE.. if you forget the salt, it will be almost impossible
// to authenticate

$password = md5($pass.$salt); //store the $password var in the database
//consider using a  better hash such as whirlpool: hash('whirlpool',$pass.$salt);
?>

 

2)You should never store plain text passwords, period.  It is considered 'relatively safe' to store one way hashes of passwords for authentication.  This is where they enter their plain text password into a form, you hash it, and compare it to your stored hash.  A salt is recommended so that if someone gets a hold of your database somehow, they will have trouble rainbow tabling it.

 

3) What.?  Yes, feel free to write it and show us your code for help.

[taichimasta]

plain text , varchar is plaint text? (kinda of a dumb question but w/e)

[xtopolis]

plain text meaning something human readable/decipherable... in this context.

 

if my password is "cat", and you store "cat" in the database, and someone steals your database... someone now nows my password is "cat"

 

if my password is "cat" and you store the md5 hash of "cat"=>"d077f244def8a70e5ea758bd8352fcd8" in the database, and someone steals your database, they are 10 seconds away from discovering my password.

(go to http://gdataonline.com/seekhash.php and type in: d077f244def8a70e5ea758bd8352fcd8 and see what it tells you ).

 

if my pass is "cat" and you store an md5+salt of "catINTHEHAT" ($cat.$salt)  => "ad6d9e3e575af5aadba166eab7645dab", and someone steals your database... they'll have a much harder time trying to find out what my password is..

 

if my pass is "cat" and i do a whirlpool hash of "cat"=>"f62082311e1548a968b52af4b63e4e33284aac01b4395ec631cb727590a3f52498dfb49b27f5dfe5bc529028d97d1b6eac23f098fca48ae88a835d7681368f44"

and someone steals my database, I will not worry too much about it, because as it stands now, by the time they could crack it, they will probably move on.

 

 

~~ SUMMARY OF HASHES ~~ Don't think that length = security just because I showed whirlpool last.  Salts make common hashes uncommon, lengthening the time required to guess correctly, hopefully to an amount of time where they give up.

[taichimasta]

so let me see if i get it

 

don't store the password but the salt and that of what the salt produces.

 

blue = adljsa98a88723uiasd982u9823 <--example

 

blue + salt(*)_#(@) = ja9dsa908a298a3982323j98j32891u92

 

right?

 

now when the person(me) logs in how would the salt be stored ? so it can be authenticated.

[xtopolis]

Not quite.

 

my password is "cat".  You will never store "cat", you will store a hash value of the concatenation of my password + your salt.

In code:

<?php
//user creates a password in a form
$pass = $_POST['password']; //contains "cat" (no quotes)

$salt = '23refasve!D@'; (random thing)

$storePassword = md5($pass.$salt)
//^-- now == a 32 character hash value like ones you and I have posted.

$sql = "INSERT INTO `users` (username,password) VALUES ('Xtops','$storePassword');//insert into db.. etc
?>

 

Now when the user goes to login:

<?php
//login form POSTs password
$salt = '23refasve!D@'; //(same as above!)

$un = 'Xtops';
$pw = $_POST['login_pw'];
    $checkPW = md5($pw.$salt);

$sql = "SELECT ID FROM `users` WHERE username='$un' AND password='$checkPW'";
?>

The second code example attempts to recreate the same hash again based off their input and your salt.  It makes it a little more secure because for a user to login they would need 2 pieces of information: (their password, your salt).  They never see the salt, or know anything about it, they just know that they have a password that when they type it in the same way, it logs them in... but in reality you're altering their password.

 

Just remember, you lose the salt, or change it, their password will no longer work, even if it's the same thing they've been typing in because YOUR portion of their password is no longer the same.

[taichimasta]

ok i think i got it , I'll do a few test runs so i can get the concept and use it. i'll use this method as a practical method.

 

 

Thanks I'll post if i use any  advance methods for salt later on.