quasiman Posted June 2, 2010 Share Posted June 2, 2010 I'm working on a database project, and I want the passwords to be as secure as possible. I've added a couple salts in the mix, and I'm hoping for some opinions (or facts would be even better) about how secure it actually is to do it like this. Soo....here it is, please let me know what you think <?php $salt = "Once upon a midnight dreary, while I pondered weak and weary, Over many a quaint and curious volume of forgotten lore, While I nodded, nearly napping, suddenly there came a tapping, As of some one gently rapping, rapping at my chamber door. 'Tis some visitor,' I muttered, `tapping at my chamber door - Only this, and nothing more.'"; $salt .= base64_encode($salt); $mypassword = "my passphrase...because phrases (in general) are more secure than passwords."; $cryptedpass = sha1($salt . md5($mypassword . $salt)); $output = hash("sha512", $cryptedpass); echo $output; ?> [code] Quote Link to comment https://forums.phpfreaks.com/topic/203603-salted-password-hashing-no-msg/ Share on other sites More sharing options...
GetPutDelete Posted June 2, 2010 Share Posted June 2, 2010 Seems a bit unnecessary. Execution time will take several times longer now when just using a salt of 64 char's is more than enough. Quote Link to comment https://forums.phpfreaks.com/topic/203603-salted-password-hashing-no-msg/#findComment-1066544 Share on other sites More sharing options...
quasiman Posted June 2, 2010 Author Share Posted June 2, 2010 I'm not too worried about the speed difference, when you're really talking about less than a second difference. 64 char's is more than enough for what? Public web forums, definitely...but this isn't a public site I'm working on, and I need it to be absolutely unbreakable. In as much as that's even possible lol Quote Link to comment https://forums.phpfreaks.com/topic/203603-salted-password-hashing-no-msg/#findComment-1066552 Share on other sites More sharing options...
Karlos94 Posted June 3, 2010 Share Posted June 3, 2010 I'm not too worried about the speed difference, when you're really talking about less than a second difference. 64 char's is more than enough for what? Public web forums, definitely...but this isn't a public site I'm working on, and I need it to be absolutely unbreakable. In as much as that's even possible lol Unbreakable? Nothing is unbreakable but I can tell you a hashing algorithm that is near enough to that. As far as I know it hasn't been cracked or anything. Try this for example: <?php $salt = 'Your salt'; $rot13 = rot_13($salt); $rev_rot13 = strrev($rot13); $pass = hash('sha256', $rot13 . sha1($password . $salt) . $rev_rot13); $hashed = hash('whirlpool', $pass); echo $hashed; Quote Link to comment https://forums.phpfreaks.com/topic/203603-salted-password-hashing-no-msg/#findComment-1066937 Share on other sites More sharing options...
quasiman Posted June 3, 2010 Author Share Posted June 3, 2010 I know nothing is unbreakable, by saying that I'm just making the point that this needs to be more than just public forum level security. Adequate security is defined by what is being secured, and in this case it's very important that I take every precaution possible. I'm sure for instance, that if I were securing access to your payroll information, you'd want it as unbreakable as I do. Anyway, is whirlpool more secure than sha512? I like your rot_13 and strrev ideas Quote Link to comment https://forums.phpfreaks.com/topic/203603-salted-password-hashing-no-msg/#findComment-1066947 Share on other sites More sharing options...
mrMarcus Posted June 3, 2010 Share Posted June 3, 2010 Just watch as you're starting to border paranoia. I sure hope you're going to put as much effort into securing the database itself as you are in hashing the passwords. Run some port checks, set db access permissions, etc. People often forget about that. Quote Link to comment https://forums.phpfreaks.com/topic/203603-salted-password-hashing-no-msg/#findComment-1066950 Share on other sites More sharing options...
Zane Posted June 3, 2010 Share Posted June 3, 2010 Just watch as you're starting to border paranoia. The only way someone will be able to crack/hack your passwords is if they can get access to your hashing method. They would actually have to see it.. visually. The chances of guessing a salt for a hash are about as slim to impossible as guessing someone else's password to begin with. Moreover (as I've already mentinoed), they would have to hash it exactly the same way... A simple md5 hash should do fine, it's the access to your server files and code you need to worry most about.. Quote Link to comment https://forums.phpfreaks.com/topic/203603-salted-password-hashing-no-msg/#findComment-1067020 Share on other sites More sharing options...
Karlos94 Posted June 3, 2010 Share Posted June 3, 2010 I know nothing is unbreakable, by saying that I'm just making the point that this needs to be more than just public forum level security. Adequate security is defined by what is being secured, and in this case it's very important that I take every precaution possible. I'm sure for instance, that if I were securing access to your payroll information, you'd want it as unbreakable as I do. Anyway, is whirlpool more secure than sha512? I like your rot_13 and strrev ideas From what i know from a highly experienced website developer, as far as I know it is indeed more secure than sha512, however I last got that information a while ago so it might be worth checking it yourself. And thanks, somtimes the simplist functions can make a sure god damn difference. Quote Link to comment https://forums.phpfreaks.com/topic/203603-salted-password-hashing-no-msg/#findComment-1067070 Share on other sites More sharing options...
quasiman Posted June 3, 2010 Author Share Posted June 3, 2010 I sure hope you're going to put as much effort into securing the database itself as you are in hashing the passwords. Run some port checks, set db access permissions, etc. People often forget about that. Fortunately this is not a one man operation, and the server security is being handled by people better suited than I am A simple md5 hash should do fine, it's the access to your server files and code you need to worry most about.. MD5 has been proven insecure, and in fact a simple google search gave me this: http://www.md5decrypter.com That being said, do you mean this: <?php $salt = "81f02555eceb083c74c043d24dc7b32c"; $mypassword = "SuperSecretPassword!%%#"; $encryptpass = md5($salt.$mypassword.$salt); echo $encryptpass; ?> is just as secure as what I had originally posted? Quote Link to comment https://forums.phpfreaks.com/topic/203603-salted-password-hashing-no-msg/#findComment-1067366 Share on other sites More sharing options...
Daniel0 Posted June 3, 2010 Share Posted June 3, 2010 That being said, do you mean this: <?php $salt = "81f02555eceb083c74c043d24dc7b32c"; $mypassword = "SuperSecretPassword!%%#"; $encryptpass = md5($salt.$mypassword.$salt); echo $encryptpass; ?> is just as secure as what I had originally posted? Yes, if you substitute MD5 with SHA512. You really should just do like this though (or using another algorithm than SHA512 if you wish): $hash = hash_hmac('sha512', $password, $salt); Quote Link to comment https://forums.phpfreaks.com/topic/203603-salted-password-hashing-no-msg/#findComment-1067375 Share on other sites More sharing options...
premiso Posted June 3, 2010 Share Posted June 3, 2010 is just as secure as what I had originally posted? Not anymore. I know your salt, so all your base are belong to us! Quote Link to comment https://forums.phpfreaks.com/topic/203603-salted-password-hashing-no-msg/#findComment-1067377 Share on other sites More sharing options...
Zane Posted June 3, 2010 Share Posted June 3, 2010 Not anymore. I know your salt, so all your base are belong to us! Gwahahahahaahaha. MD5 has been proven insecure, and in fact a simple google search gave me this: http://www.md5decrypter.com Dude, I had no idea md5 deccryption was that easy.. I bow to your Google searching powers for I would have never found such a tool. The question I ask to you though is... Do you actually know how that decrypter works? Do you know that I can make one too? Did you know that probably every decryptor out there will give you a different result? Quote Link to comment https://forums.phpfreaks.com/topic/203603-salted-password-hashing-no-msg/#findComment-1067385 Share on other sites More sharing options...
kenrbnsn Posted June 3, 2010 Share Posted June 3, 2010 That site does not decrypt the hash. I put in a hash of a password I use and the message I received is "A decryption for this hash wasn't found in our database". What they have is a database of hashes and strings that can make that hash. I didn't use any salts when creating the hash. If they were actually decrypting the hash, I would have gotten my password back in clear text. Ken Quote Link to comment https://forums.phpfreaks.com/topic/203603-salted-password-hashing-no-msg/#findComment-1067388 Share on other sites More sharing options...
ChaosKnight Posted June 4, 2010 Share Posted June 4, 2010 Yeah MD5 still is one-way encryption, so I don't think there is a tool in existence that can successfully decrypt any md5, but as you said, md5 was proven as a less safe way to encrypt passwords, as there were successful md5 attacks... Rather use the SHA family... I have never heard of a successful SHA attack, so it is relatively safe, but then again it depends one what you define as safe... But if you take a password, concatenate some random words to it, and then MD5 it with some other random words then your encryption will be safe enough for a very long time my friend http://www.securitydocs.com/pdf/3079.PDF Quote Link to comment https://forums.phpfreaks.com/topic/203603-salted-password-hashing-no-msg/#findComment-1067601 Share on other sites More sharing options...
Daniel0 Posted June 4, 2010 Share Posted June 4, 2010 Yeah MD5 still is one-way encryption Encryption is by definition reversible. There exists no such thing as "one-way encryption"; you're thinking of hashing, which is a different technique. Quote Link to comment https://forums.phpfreaks.com/topic/203603-salted-password-hashing-no-msg/#findComment-1067654 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.