RaythMistwalker Posted January 7, 2010 Share Posted January 7, 2010 Ok i wish to upgrade my users password security. say atm the passwords are stored as somekey.encodedpassword.somekey as you can see password is surrounded by . What i want to do is when a user registers, assign a random 8 digit number before and after the password (this way it is different for each user) but obviously my login would bang back some of the users. for example say my password was test the database would look like: 83758478.test.73263876 How would i get the php to only take the part between the 2 .'s (note this is not the real symbol im using i just have as example) reasoning: hackers who manage to get my original key will be stumped as the number at both beginning and end are generated randomly and seperately. Quote Link to comment Share on other sites More sharing options...
Psycho Posted January 7, 2010 Share Posted January 7, 2010 What? Why are you trying to rebuild the wheel. Use a hash, such as MD5() or SHA() with a salt. I'm assuming the user is not aware of these added values and is just entering their normal password and you are planning to validate that against the database value by stripping off the added values, right? How is that going to thwart a hacker if they were to get into your database? Anyone intelligent enough to get into your database would be able to plainly see the pattern and figure out your 1337 encoding. Quote Link to comment Share on other sites More sharing options...
teamatomic Posted January 7, 2010 Share Posted January 7, 2010 Woith what you have a simple list/explode would work. But any one that manages to view a few of the passwords would see the pattern with the dots and know whats up. Better would be: $pass='12345678dD4%%dert98765432'; preg_match('#[0-9]{8}(.*)[0-9]{8}#is', $pass, $result); echo $result['1']; Quote Link to comment Share on other sites More sharing options...
crabfinger Posted January 7, 2010 Share Posted January 7, 2010 You could use this... $password = ($explode = explode('.',$password_before)) ? $explode['1'] : FALSE; Where all you have to do is change $password to whatever your password variable is and $password_before to whatever your password variable was. You could also try removing the periods as long as you know the exact length of the random string that you put at the beginning of your password the you could user something like this. I use a string length of 8 below because that is what you used in your post $password = substr($password_before,8,(strlen($password_before)-16)); Quote Link to comment Share on other sites More sharing options...
teamatomic Posted January 7, 2010 Share Posted January 7, 2010 Crabfingers second example is best as you could use something like this: 34$%fFe0dD4%%dert!0(4%grF and their is no pattern to be seen at all. HTH Teamatomic Quote Link to comment Share on other sites More sharing options...
ignace Posted January 7, 2010 Share Posted January 7, 2010 hackers who manage to get my original key will be stumped I think only you will be stumped when suddenly everything's gone.. mjdamato is IMO the only legit tried-and-true option Quote Link to comment Share on other sites More sharing options...
Psycho Posted January 7, 2010 Share Posted January 7, 2010 Crabfingers second example is best as you could use something like this: 34$%fFe0dD4%%dert!0(4%grF and their is no pattern to be seen at all. Except for the fact that people do not use gibberish for their passwords. Even if you don't use a delimiter such as a period, the passwords would be plainly visible to anyone looking at the raw data. The values in the database would like look like the following: (d&%^KS*spasswordNs*#]?1% *'@jS7W6Go Raiders&dT$2(@| :+!.D7k#pizza\_=2J3d It wouldn't take a rocket scientist to decypher the real passwords. Hashes have been used to mask passwords in databases for years and are irreversible - i.e. you cannot decypher the real password from the hashed value. Please do not respond that MD5 can be cracked - it can't. But, if users use stupid simple passwords and you do not utilize a SALT then a lookup table can be used, but that is not the same as 'cracking' MD5. Anyway, here is an example of a typical usage //User entered password $password = "Some value by the user"; //First create a salt: append a value specific to the user or manipulate the value in some consistent manner $passWithSalt = strrev($password) . $username; //Second hash the value $hashedValue = md5($passWithSalt); So, when a user creates a password you would follow that process and save it to the database. Then when a user logs in, you follow the same process to get the hashed value and compare that to the value in the database. I will guarntee that neither you or any hacker can ever determine the user's password from what is in the database. At least not without a lot of time and processing power to create a custom lookup table of values using your salt. Quote Link to comment Share on other sites More sharing options...
crabfinger Posted January 7, 2010 Share Posted January 7, 2010 If you look at his original post the op says that he encrypts the password and then puts random shit on either side so it wont be plaintext Quote Link to comment Share on other sites More sharing options...
Psycho Posted January 7, 2010 Share Posted January 7, 2010 If you look at his original post the op says that he encrypts the password and then puts random shit on either side so it wont be plaintext Really? When I read his original post there is conflicting information. say atm the passwords are stored as somekey.encodedpassword.somekey for example say my password was test the database would look like: 83758478.test.73263876 Besides, if the password is encoded, what is the point of putting additional random data on the ends to prevent hackers from getting the info. Quote Link to comment Share on other sites More sharing options...
ignace Posted January 7, 2010 Share Posted January 7, 2010 Besides, if the password is encoded, what is the point of putting additional random data on the ends to prevent hackers from getting the info. If you look at his original post the op says that he encrypts the password and then puts random shit on either side so it wont be plaintext He can't encode it because if he would he wouldn't be able to authenticate anyone because he can't generate the same prefix and annex twice!! Apparently only I and mjdamato are aware of this. Only mjdamato's option is tried-and-true. Quote Link to comment Share on other sites More sharing options...
crabfinger Posted January 7, 2010 Share Posted January 7, 2010 Besides, if the password is encoded, what is the point of putting additional random data on the ends to prevent hackers from getting the info. If you look at his original post the op says that he encrypts the password and then puts random shit on either side so it wont be plaintext He can't encode it because if he would he wouldn't be able to authenticate anyone because he can't generate the same prefix and annex twice!! Apparently only I and mjdamato are aware of this. Only mjdamato's option is tried-and-true. He doesn't need to generate the same thing twice, he encodes the password and then adds stuff to each end, not before. Then all he needs to do is remove the random shit (which he can do with substr) from each end and then decode it. The only security this adds is that if some l337 hacker decideds to try and crack the password he will be fucked up by the random shit on either end. Quote Link to comment Share on other sites More sharing options...
RaythMistwalker Posted January 7, 2010 Author Share Posted January 7, 2010 gee wow goto work for a few hours and wow. Yes my passwords are hashed as well as encoded and i think crabfinger knows what i want to do. whats the substr thing you mentioned? edit: sorry i just read crabfingers post with substr. Yeh i can take out the periods since i know it'l be a certain number of digits before and after so how would i remove the 8 after as well as before? Quote Link to comment Share on other sites More sharing options...
ignace Posted January 7, 2010 Share Posted January 7, 2010 The only security this adds is that if some l337 hacker decideds to try and crack the password he will be fucked up by the random shit on either end. Yeah mqsdjfmqhstd.my beautiful password not visible at all here.qmlhgqhytmqr very hard indeed.. Quote Link to comment Share on other sites More sharing options...
RaythMistwalker Posted January 7, 2010 Author Share Posted January 7, 2010 The only security this adds is that if some l337 hacker decideds to try and crack the password he will be fucked up by the random shit on either end. Yeah mqsdjfmqhstd.my beautiful password not visible at all here.qmlhgqhytmqr very hard indeed.. your forgetting the part i do actually encode it i just didnt want to show how i encode it because its done 3 times before it is saved. example could be md5(md5(sha1($password))) Quote Link to comment Share on other sites More sharing options...
Andy-H Posted January 7, 2010 Share Posted January 7, 2010 Whats the point in md5 hashing it twice? $pass = substr($pass, 0, ; // remove first eight chars. $pass = substr($pass, 0, -; // remove last eight chars. Quote Link to comment Share on other sites More sharing options...
RaythMistwalker Posted January 7, 2010 Author Share Posted January 7, 2010 Whats the point in md5 hashing it twice? $pass = substr($pass, 0, ; // remove first eight chars. $pass = substr($pass, 0, -; // remove last eight chars. it was just an example. thanks for the code though Quote Link to comment Share on other sites More sharing options...
Psycho Posted January 7, 2010 Share Posted January 7, 2010 Whats the point in md5 hashing it twice? $pass = substr($pass, 0, ; // remove first eight chars. $pass = substr($pass, 0, -; // remove last eight chars. What's the point of running substr() twice? $pass = substr($pass, 8, -; //Remove first AND last eight characters Quote Link to comment Share on other sites More sharing options...
crabfinger Posted January 7, 2010 Share Posted January 7, 2010 Whats the point in md5 hashing it twice? $pass = substr($pass, 0, ; // remove first eight chars. $pass = substr($pass, 0, -; // remove last eight chars. That's the exact same thing as this $password = substr($password_before,8,(strlen($password_before)-16)); which i posted earlier Quote Link to comment Share on other sites More sharing options...
Andy-H Posted January 8, 2010 Share Posted January 8, 2010 lmao, just realised my code was wrong anyway... $pass = substr($pass, 0, ; // returns first 8 chars. :S $pass = substr($pass, 0, -; // removes last 8 chars //$pass = ''; :S Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.