Salted password hashing (no MSG!)

[quasiman]

I'm working on a database project, and I want the passwords to be as secure as possible.  I've added a couple salts in the mix, and I'm hoping for some opinions (or facts would be even better) about how secure it actually is to do it like this.

Soo....here it is, please let me know what you think

 

<?php
$salt = "Once upon a midnight dreary, while I pondered weak and weary,
			Over many a quaint and curious volume of forgotten lore,
			While I nodded, nearly napping, suddenly there came a tapping,
			As of some one gently rapping, rapping at my chamber door.
			'Tis some visitor,' I muttered, `tapping at my chamber door -
			Only this, and nothing more.'";
$salt .= base64_encode($salt);
$mypassword = "my passphrase...because phrases (in general) are more secure than passwords.";
$cryptedpass = sha1($salt . md5($mypassword . $salt));
$output = hash("sha512", $cryptedpass);
echo $output;
?>
[code]

[GetPutDelete]

Seems a bit unnecessary. Execution time will take several times longer now when just using a salt of 64 char's is more than enough.

[quasiman]

I'm not too worried about the speed difference, when you're really talking about less than a second difference.

 

64 char's is more than enough for what?  Public web forums, definitely...but this isn't a public site I'm working on, and I need it to be absolutely unbreakable.  In as much as that's even possible lol

[Karlos94]

I'm not too worried about the speed difference, when you're really talking about less than a second difference.

 

64 char's is more than enough for what?  Public web forums, definitely...but this isn't a public site I'm working on, and I need it to be absolutely unbreakable.  In as much as that's even possible lol

 

Unbreakable? Nothing is unbreakable but I can tell you a hashing algorithm that is near enough to that. As far as I know it hasn't been cracked or anything. Try this for example:

 

<?php

$salt = 'Your salt';
$rot13 = rot_13($salt);
$rev_rot13 = strrev($rot13);

$pass = hash('sha256', $rot13 . sha1($password . $salt) . $rev_rot13);
$hashed = hash('whirlpool', $pass);

echo $hashed;

[quasiman]

I know nothing is unbreakable, by saying that I'm just making the point that this needs to be more than just public forum level security.  Adequate security is defined by what is being secured, and in this case it's very important that I take every precaution possible.  I'm sure for instance, that if I were securing access to your payroll information, you'd want it as unbreakable as I do.

 

Anyway, is whirlpool more secure than sha512?

I like your rot_13 and strrev ideas

[mrMarcus]

Just watch as you're starting to border paranoia.  I sure hope you're going to put as much effort into securing the database itself as you are in hashing the passwords.  Run some port checks, set db access permissions, etc.  People often forget about that.

[Zane]

Just watch as you're starting to border paranoia.

 

The only way someone will be able to crack/hack your passwords is if they can get access to your hashing method.  They would actually have to see it.. visually.  The chances of guessing a salt for a hash are about as slim to impossible as guessing someone else's password to begin with. 

 

Moreover (as I've already mentinoed), they would have to hash it exactly the same way...

 

A simple md5 hash should do fine, it's the access to your server files and code you need to worry most about..

[Karlos94]

I know nothing is unbreakable, by saying that I'm just making the point that this needs to be more than just public forum level security.  Adequate security is defined by what is being secured, and in this case it's very important that I take every precaution possible.  I'm sure for instance, that if I were securing access to your payroll information, you'd want it as unbreakable as I do.

 

Anyway, is whirlpool more secure than sha512?

I like your rot_13 and strrev ideas

 

From what i know from a highly experienced website developer, as far as I know it is indeed more secure than sha512, however I last got that information a while ago so it might be worth checking it yourself.

 

And thanks, somtimes the simplist functions can make a sure god damn difference.

[quasiman]

I sure hope you're going to put as much effort into securing the database itself as you are in hashing the passwords.  Run some port checks, set db access permissions, etc.  People often forget about that.

Fortunately this is not a one man operation, and the server security is being handled by people better suited than I am

A simple md5 hash should do fine, it's the access to your server files and code you need to worry most about..

MD5 has been proven insecure, and in fact a simple google search gave me this:

http://www.md5decrypter.com

 

That being said, do you mean this:

<?php
$salt = "81f02555eceb083c74c043d24dc7b32c";
$mypassword = "SuperSecretPassword!%%#";
$encryptpass = md5($salt.$mypassword.$salt);
echo $encryptpass;
?>

is just as secure as what I had originally posted?

[Daniel0]

That being said, do you mean this:

<?php
$salt = "81f02555eceb083c74c043d24dc7b32c";
$mypassword = "SuperSecretPassword!%%#";
$encryptpass = md5($salt.$mypassword.$salt);
echo $encryptpass;
?>

is just as secure as what I had originally posted?

 

Yes, if you substitute MD5 with SHA512.

 

You really should just do like this though (or using another algorithm than SHA512 if you wish):

$hash = hash_hmac('sha512', $password, $salt);

[premiso]

is just as secure as what I had originally posted?

 

Not anymore. I know your salt, so all your base are belong to us!

[Zane]

Not anymore. I know your salt, so all your base are belong to us!

Gwahahahahaahaha.

 

MD5 has been proven insecure, and in fact a simple google search gave me this:

http://www.md5decrypter.com

Dude, I had no idea md5 deccryption was that easy..  I bow to your Google searching powers for I would have never found such a tool.

 

The question I ask to you though is...

Do you actually know how that decrypter works?

Do you know that I can make one too?

Did you know that probably every decryptor out there will give you a different result?

[kenrbnsn]

That site does not decrypt the hash. I put in a hash of a password I use and the message I received is "A decryption for this hash wasn't found in our database". What they have is a database of hashes and strings that can make that hash.  I didn't use any salts when creating the hash. If they were actually decrypting the hash, I would have gotten my password back in clear text.

 

Ken

[ChaosKnight]

Yeah MD5 still is one-way encryption, so I don't think there is a tool in existence that can successfully decrypt any md5, but as you said, md5 was proven as a less safe way to encrypt passwords, as there were successful md5 attacks... Rather use the SHA family... I have never heard of a successful SHA attack, so it is relatively safe, but then again it depends one what you define as safe... But if you take a password, concatenate some random words to it, and then MD5 it with some other random words then your encryption will be safe enough for a very long time my friend 

 

http://www.securitydocs.com/pdf/3079.PDF

[Daniel0]

Yeah MD5 still is one-way encryption

 

Encryption is by definition reversible. There exists no such thing as "one-way encryption"; you're thinking of hashing, which is a different technique.