Jump to content

Archived

This topic is now archived and is closed to further replies.

Ninjakreborn

bottom line, last encryption post

Recommended Posts

I think encryption/decryption has it's purposes, I studied it enough, the bottom line
should I store passwords in plain text to a database.
If not then I can go with hash, but I saw that the function is called
hash()
and the first parameter is the type sha1, you could use as a type instead of a standalone function, is this true, I also read sha1 has been decrypted somewhere, i will show a link later.
So if I hash something how do I match the text passwords up to see if there the same, is there anychance of it being wrong.

Share this post


Link to post
Share on other sites
http://www.md5encryption.com/
http://weblogs.asp.net/pleloup/archive/2003/07/09/9851.aspx

Share this post


Link to post
Share on other sites
I would use a salt with whatever hashing algorithm you use.  For example:
[code]
<?php
$password = "bob";
srand( microtime( true ) );

/*Variable initialization*/
$salt_template = "0123456789ABCDEF";
$salt = '';
/*Create a random string with template of length 10*/
for ( $i = 0; $i < 10; $i++ )
{
$salt .= substr( $salt_template, rand() % 16, 1 );
}
$hash = md5( $password . $salt ) . $salt;
?>
[/code]

Then to compare it to the plain text..
[code]
<?php
//The user entered bob which is the variable $password
$password = $_POST['password'];
//get pw in db
$pw = ...from db query...
$salt = substr( $pw, -10 );
if(md5($password.$salt).$salt) == $pw)
echo 'golden'
else
die()
?>
[/code]

Share this post


Link to post
Share on other sites
Way too over my head
[code]<?php
$password = "bob";
srand( microtime( true ) );

/*Variable initialization*/
$salt_template = "0123456789ABCDEF"; // this
$salt = ''; // this
/*Create a random string with template of length 10*/
for ( $i = 0; $i < 10; $i++ ) // this
{
$salt .= substr( $salt_template, rand() % 16, 1 );
}
$hash = md5( $password . $salt ) . $salt;
?>[/code]
I don't understand, I see those $i = 0, X0212
whatever I see that a lot but I have never had to use anythign like that what is it, and the salt template, won't I have a build a different template for each one, or could I use the first 2 letters of the username as salt.

Share this post


Link to post
Share on other sites
In my opinion, you should [i]never[/i] store passwords in plain text form.
[quote]the first parameter is the type sha1, you could use as a type instead of a standalone function, is this true, I also read sha1 has been decrypted somewhere[/quote]I don't quite understand what you mean there, but yes, you can either use the sha1() function, or as an algorythm type within hash(). From what I have read, SHA-1 [i]has[/i] been cracked, but not in a way that is totaly useful. I think it requires a technique similar to brute-forcing, but based on collisions.
[quote]So if I hash something how do I match the text passwords up to see if there the same, is there anychance of it being wrong.[/quote]You hash the string and match it against the stored hash of the password.

Share this post


Link to post
Share on other sites
http://us3.php.net/manual/en/function.hash.php
string hash ( string algo, string data [, bool raw_output] )

so
hash("md5", $data,);
question 1- should I set the 3rd parameter to true or false, when I choose the algorithm can i use it all through hash
examples
[code]hash("sha1", $data);
hash("md4", $data);
hash("sha256", $data);[/code]
Is this logical, also when I look at the functions in the manual, there is no where to provide salt at, where would the salt come in.

Share this post


Link to post
Share on other sites

×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.