knobby2k Posted May 5, 2011 Share Posted May 5, 2011 Hey everyone, Hopefully i'm putting this question in the correct place! I've been reading up on password security and in particular how to do it. After reading far too many articles on peoples opinions i believe it is going to be a case of personal preference but I thought i'd put it to the wider audience. This post will lead to me questioning how to code it correctly using PHP once I have confirmation that what I want to do will be secure. My way of thinking is to SHA256 on a $site_secret.$nonce.$password so just to be clear... 1) the site_secret will be a fixed static value that will not be changed and stored away from user data. 2) the nonce will be a value specific to that user such as their username 3) password will be whatever they enter upon registration. I think I am right in how i'm thinking but correct me if i'm wrong. Will this be secure? Does anyone disagree and know of a better way?? Thanks Quote Link to comment https://forums.phpfreaks.com/topic/235619-password-security/ Share on other sites More sharing options...
knobby2k Posted May 5, 2011 Author Share Posted May 5, 2011 Thought i'd be flooded with peoples opinions on this 1!!! Quote Link to comment https://forums.phpfreaks.com/topic/235619-password-security/#findComment-1211070 Share on other sites More sharing options...
fugix Posted May 5, 2011 Share Posted May 5, 2011 ive heard that encryption+salt is the way to go for password security Quote Link to comment https://forums.phpfreaks.com/topic/235619-password-security/#findComment-1211072 Share on other sites More sharing options...
knobby2k Posted May 5, 2011 Author Share Posted May 5, 2011 yeah well that site_secret is the salt, if i believe right anyway! Quote Link to comment https://forums.phpfreaks.com/topic/235619-password-security/#findComment-1211075 Share on other sites More sharing options...
The Little Guy Posted May 5, 2011 Share Posted May 5, 2011 I am not sure why your doing this with a password: $site_secret.$nonce.$password could you explain yourself? I would recommended sha256+ I still use md5 for most of my stuff. I would have to say if you are storing user private data, you would want something with the best security possible. If your storing basic stuff, yeah security would be nice, but it almost doesn't matter if someone breaks in, what are they going to end up with? not much. I wouldn't write a something with that attitude in mind though. Quote Link to comment https://forums.phpfreaks.com/topic/235619-password-security/#findComment-1211076 Share on other sites More sharing options...
The Little Guy Posted May 5, 2011 Share Posted May 5, 2011 Maybe it is just me, but a salt seems useless. asdfasdfasdf234s8jre45u30jgrg4u594jg09405g40j54oijgt4 asdfasdfasdffgrgjpwoijg4j5j4oit5j45[4509j509jgt59j43955t asdfasdfasdf45piowt5g945g05h56h955h9y596696hjboiere asdfasdfasdfwerf8sorj4458jrsrrtjo5jtierjtj84j5tejrtp8gjgjg48 If you are smart, you will notice that all of these have the same thing in common, they all begin with: asdfasdfasdf As long as you know to remove that, you can now decrypt it (if you know how). Maybe it is me, but am I going about that theory wrong? Quote Link to comment https://forums.phpfreaks.com/topic/235619-password-security/#findComment-1211077 Share on other sites More sharing options...
knobby2k Posted May 5, 2011 Author Share Posted May 5, 2011 ok so maybe i didn't explain it properly in the beginning... So this is all about a user registering for my site and setting up a username and password, then the password getting encrypted and stored in my database in the most secure way possible. The user chooses their own password (which for this example will be the password 'dog') If i just hash the standard password then rainbow tables could be used to find a match against the hash, so from what i've read it is recommended to use a salt which in the case of this example is $site_secret. $site_secret would be a kind of key; a static value hidden away from everything else that would be added as a string on the password. (for this example the salt will be the word 'key') so... $password . $salt will make a string of 'dogkey'. This will then produce a more secure hash. What I want to do to make this even more secure is use another value that will be unique to that user, such as the username (for this example 'bob') so... $password . $salt . $username will make a string of 'dogkeybob'. Then hash this using SHA256 to encrypt it which would then produce a unique hash. I believe that my understanding of it is correct... but that is what I am hoping someone can tell me!! Cheers Quote Link to comment https://forums.phpfreaks.com/topic/235619-password-security/#findComment-1211084 Share on other sites More sharing options...
knobby2k Posted May 5, 2011 Author Share Posted May 5, 2011 Maybe it is just me, but a salt seems useless. asdfasdfasdf234s8jre45u30jgrg4u594jg09405g40j54oijgt4 asdfasdfasdffgrgjpwoijg4j5j4oit5j45[4509j509jgt59j43955t asdfasdfasdf45piowt5g945g05h56h955h9y596696hjboiere asdfasdfasdfwerf8sorj4458jrsrrtjo5jtierjtj84j5tejrtp8gjgjg48 If you are smart, you will notice that all of these have the same thing in common, they all begin with: asdfasdfasdf As long as you know to remove that, you can now decrypt it (if you know how). Maybe it is me, but am I going about that theory wrong? by your description above it sounds like your salt is asdfasdfasdf and then stuck this on the beginning of a hashed password (if i am right). what I actually mean is add the salt to the end of the password before hashing the entire thing. Quote Link to comment https://forums.phpfreaks.com/topic/235619-password-security/#findComment-1211086 Share on other sites More sharing options...
spiderwell Posted May 6, 2011 Share Posted May 6, 2011 i think what you are suggesting is fine really, it would put off most casual attempts to break in, and like stated, how 'important' is your site, is it really going to attract people who want to access the data, its not like you are a bank or the playstation network Quote Link to comment https://forums.phpfreaks.com/topic/235619-password-security/#findComment-1211257 Share on other sites More sharing options...
Zurev Posted May 6, 2011 Share Posted May 6, 2011 I would use blowfish, depending on the amount of rounds it can take up to a second to process, blowing brute forcing out of the water. The salts essentially take rainbow tables out of the equation, in the sense that if we both have the password "abcdef", they will be concatenated with the salt, and then hashed, so we will have two entirely different hashes for the same password. Here's an example static class I made for a project a bit ago, maybe not the most secure, but I found it fine for my project: class passPhrase { private static $algorithm = "\$2a"; private static $rounds = "\$10"; private static $method = "BLOWFISH"; public static function uniqueSalt($length=22, $chars="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789") { $theSalt = ""; for ($i=1; $i<=$length; $i++) { $theSalt .= substr($chars, mt_rand(0, strlen($chars)), 1); } return $theSalt; } public static function hashPassword($password, $salt=NULL) { if (is_null($salt)) { $salt = self::uniqueSalt(); } // @todo Make this check if BLOWFISH is/isn't available, and if not use a different // method of encryption $salt = self::$algorithm.self::$rounds.'$'.$salt; return crypt($password, $salt); } public static function validatePassphrase($userInput, $passwordHash, $salt) { if (crypt($userInput, $salt)===$passwordHash) { return TRUE; } else { return FALSE; } } } Quote Link to comment https://forums.phpfreaks.com/topic/235619-password-security/#findComment-1211261 Share on other sites More sharing options...
Pikachu2000 Posted May 6, 2011 Share Posted May 6, 2011 Are you using SSL for logins? If not, you may as well not even bother hashing the passwords. I mean what's the point of going through all the trouble of salting, and using a strong hashing algorithm like SHA256 if the passwords are going to be traversing the wire in clear text? Quote Link to comment https://forums.phpfreaks.com/topic/235619-password-security/#findComment-1211267 Share on other sites More sharing options...
Zurev Posted May 6, 2011 Share Posted May 6, 2011 Are you using SSL for logins? If not, you may as well not even bother hashing the passwords. I mean what's the point of going through all the trouble of salting, and using a strong hashing algorithm like SHA256 if the passwords are going to be traversing the wire in clear text? You're saying he shouldn't even hash passwords if he isn't using an SSL certificate? That is such flawed logic, a HUGE amount of websites don't use SSL in their logins, including this one. Quote Link to comment https://forums.phpfreaks.com/topic/235619-password-security/#findComment-1211274 Share on other sites More sharing options...
Pikachu2000 Posted May 6, 2011 Share Posted May 6, 2011 I'm saying there's not much point in designing a fancy hashing/salting/encryption routine to store the passwords if they're going to be sent in clear text over the internet. I'm trying to make the point that security is only as strong as the weakest link, and in the case of most websites that weakest link IS the lack of SSL for sending login credentials, etc. Quote Link to comment https://forums.phpfreaks.com/topic/235619-password-security/#findComment-1211282 Share on other sites More sharing options...
phpSensei Posted May 6, 2011 Share Posted May 6, 2011 I always thought this script explained it pretty well, from PHP security Consortium <?php define('SALT_LENGTH', 9); function generateHash($plainText, $salt = null) { if ($salt === null) { $salt = substr(md5(uniqid(rand(), true)), 0, SALT_LENGTH); } else { $salt = substr($salt, 0, SALT_LENGTH); } return $salt . sha1($salt . $plainText); } ?> Quote Link to comment https://forums.phpfreaks.com/topic/235619-password-security/#findComment-1211290 Share on other sites More sharing options...
phpSensei Posted May 6, 2011 Share Posted May 6, 2011 I'm saying there's not much point in designing a fancy hashing/salting/encryption routine to store the passwords if they're going to be sent in clear text over the internet. I'm trying to make the point that security is only as strong as the weakest link, and in the case of most websites that weakest link IS the lack of SSL for sending login credentials, etc. OpenSSL ftw! Quote Link to comment https://forums.phpfreaks.com/topic/235619-password-security/#findComment-1211292 Share on other sites More sharing options...
knobby2k Posted May 9, 2011 Author Share Posted May 9, 2011 Hey could you explain what that code is actually doing please? i'm still learning this so can't quite make sense of it all yet. Cheers I always thought this script explained it pretty well, from PHP security Consortium <?php define('SALT_LENGTH', 9); function generateHash($plainText, $salt = null) { if ($salt === null) { $salt = substr(md5(uniqid(rand(), true)), 0, SALT_LENGTH); } else { $salt = substr($salt, 0, SALT_LENGTH); } return $salt . sha1($salt . $plainText); } ?> Quote Link to comment https://forums.phpfreaks.com/topic/235619-password-security/#findComment-1212735 Share on other sites More sharing options...
jonsjava Posted May 9, 2011 Share Posted May 9, 2011 Just for fun, here's a different approach to hashing: function DeepCrypt($salt,$string){ $first_run = md5($string.$salt); $second_run = str_replace(array("a","2","3"),"",$first_run); $third_run = md5($second_run.$salt); return $third_run; } Don't really need to do this, but if you're worried about having your hashes reversed, this should clear that up. Quote Link to comment https://forums.phpfreaks.com/topic/235619-password-security/#findComment-1212740 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.