Jump to content


Photo

bottom line, last encryption post


  • Please log in to reply
5 replies to this topic

#1 Ninjakreborn

Ninjakreborn
  • Members
  • PipPipPip
  • Information Technology Specialist
  • 3,922 posts
  • Age:33

Posted 21 July 2006 - 02:05 PM

I think encryption/decryption has it's purposes, I studied it enough, the bottom line
should I store passwords in plain text to a database.
If not then I can go with hash, but I saw that the function is called
hash()
and the first parameter is the type sha1, you could use as a type instead of a standalone function, is this true, I also read sha1 has been decrypted somewhere, i will show a link later.
So if I hash something how do I match the text passwords up to see if there the same, is there anychance of it being wrong.

------

Business Website: http://www.infotechnologist.biz

Personal Website: http://www.joyelpuryear.com

Blog Site: http://www.realmofwriting.com
Services: Web development, application development, mobile development, and custom development. All services listed on my website.


#2 Ninjakreborn

Ninjakreborn
  • Members
  • PipPipPip
  • Information Technology Specialist
  • 3,922 posts
  • Age:33

Posted 21 July 2006 - 02:20 PM

http://www.md5encryption.com/
http://weblogs.asp.n...07/09/9851.aspx

------

Business Website: http://www.infotechnologist.biz

Personal Website: http://www.joyelpuryear.com

Blog Site: http://www.realmofwriting.com
Services: Web development, application development, mobile development, and custom development. All services listed on my website.


#3 boralyl

boralyl
  • New Members
  • Pip
  • Newbie
  • 5 posts

Posted 21 July 2006 - 02:21 PM

I would use a salt with whatever hashing algorithm you use.  For example:
<?php
$password = "bob";
srand( microtime( true ) );

	/*Variable initialization*/
	$salt_template = "0123456789ABCDEF";
	$salt = '';
	/*Create a random string with template of length 10*/
	for ( $i = 0; $i < 10; $i++ )
	{
		$salt .= substr( $salt_template, rand() % 16, 1 );
	}
$hash = md5( $password . $salt ) . $salt;
?>

Then to compare it to the plain text..
<?php
//The user entered bob which is the variable $password
$password = $_POST['password'];
//get pw in db
$pw = ...from db query...
$salt = substr( $pw, -10 );
if(md5($password.$salt).$salt) == $pw)
echo 'golden'
else
die()
?>


#4 Ninjakreborn

Ninjakreborn
  • Members
  • PipPipPip
  • Information Technology Specialist
  • 3,922 posts
  • Age:33

Posted 21 July 2006 - 02:24 PM

Way too over my head
<?php
$password = "bob";
srand( microtime( true ) );

	/*Variable initialization*/
	$salt_template = "0123456789ABCDEF"; // this
	$salt = ''; // this
	/*Create a random string with template of length 10*/
	for ( $i = 0; $i < 10; $i++ ) // this
	{
		$salt .= substr( $salt_template, rand() % 16, 1 );
	}
$hash = md5( $password . $salt ) . $salt;
?>
I don't understand, I see those $i = 0, X0212
whatever I see that a lot but I have never had to use anythign like that what is it, and the salt template, won't I have a build a different template for each one, or could I use the first 2 letters of the username as salt.

------

Business Website: http://www.infotechnologist.biz

Personal Website: http://www.joyelpuryear.com

Blog Site: http://www.realmofwriting.com
Services: Web development, application development, mobile development, and custom development. All services listed on my website.


#5 Kris

Kris
  • Staff Alumni
  • Advanced Member
  • 2,755 posts
  • LocationThe Internet

Posted 21 July 2006 - 02:25 PM

In my opinion, you should never store passwords in plain text form.

the first parameter is the type sha1, you could use as a type instead of a standalone function, is this true, I also read sha1 has been decrypted somewhere

I don't quite understand what you mean there, but yes, you can either use the sha1() function, or as an algorythm type within hash(). From what I have read, SHA-1 has been cracked, but not in a way that is totaly useful. I think it requires a technique similar to brute-forcing, but based on collisions.

So if I hash something how do I match the text passwords up to see if there the same, is there anychance of it being wrong.

You hash the string and match it against the stored hash of the password.

#6 Ninjakreborn

Ninjakreborn
  • Members
  • PipPipPip
  • Information Technology Specialist
  • 3,922 posts
  • Age:33

Posted 21 July 2006 - 02:35 PM

http://us3.php.net/m...nction.hash.php
string hash ( string algo, string data [, bool raw_output] )

so
hash("md5", $data,);
question 1- should I set the 3rd parameter to true or false, when I choose the algorithm can i use it all through hash
examples
hash("sha1", $data);
hash("md4", $data);
hash("sha256", $data);
Is this logical, also when I look at the functions in the manual, there is no where to provide salt at, where would the salt come in.

------

Business Website: http://www.infotechnologist.biz

Personal Website: http://www.joyelpuryear.com

Blog Site: http://www.realmofwriting.com
Services: Web development, application development, mobile development, and custom development. All services listed on my website.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users