Password security

[knobby2k]

Hey everyone,

 

Hopefully i'm putting this question in the correct place!

 

I've been reading up on password security and in particular how to do it. After reading far too many articles on peoples opinions i believe it is going to be a case of personal preference but I thought i'd put it to the wider audience.

 

This post will lead to me questioning how to code it correctly using PHP once I have confirmation that what I want to do will be secure.

 

My way of thinking is to SHA256 on a $site_secret.$nonce.$password

 

so just to be clear...

 

1) the site_secret will be a fixed static value that will not be changed and stored away from user data.

2) the nonce will be a value specific to that user such as their username

3) password will be whatever they enter upon registration.

 

I think I am right in how i'm thinking but correct me if i'm wrong.

 

Will this be secure? Does anyone disagree and know of a better way??

 

Thanks

[knobby2k]

Thought i'd be flooded with peoples opinions on this 1!!!

[fugix]

ive heard that encryption+salt is the way to go for password security

[knobby2k]

yeah well that site_secret is the salt, if i believe right anyway!

[The Little Guy]

I am not sure why your doing this with a password:

$site_secret.$nonce.$password

 

could you explain yourself?

 

I would recommended sha256+

 

I still use md5 for most of my stuff. I would have to say if you are storing user private data, you would want something with the best security possible. If your storing basic stuff, yeah security would be nice, but it almost doesn't matter if someone breaks in, what are they going to end up with? not much.

 

I wouldn't write a something with that attitude in mind though.

[The Little Guy]

Maybe it is just me, but a salt seems useless.

 

asdfasdfasdf234s8jre45u30jgrg4u594jg09405g40j54oijgt4

asdfasdfasdffgrgjpwoijg4j5j4oit5j45[4509j509jgt59j43955t

asdfasdfasdf45piowt5g945g05h56h955h9y596696hjboiere

asdfasdfasdfwerf8sorj4458jrsrrtjo5jtierjtj84j5tejrtp8gjgjg48

 

If you are smart, you will notice that all of these have the same thing in common, they all begin with:

asdfasdfasdf

 

As long as you know to remove that, you can now decrypt it (if you know how).

 

Maybe it is me, but am I going about that theory wrong?

[knobby2k]

ok so maybe i didn't explain it properly in the beginning...

 

So this is all about a user registering for my site and setting up a username and password, then the password getting encrypted and stored in my database in the most secure way possible.

 

The user chooses their own password (which for this example will be the password 'dog')

 

If i just hash the standard password then rainbow tables could be used to find a match against the hash, so from what i've read it is recommended to use a salt which in the case of this example is $site_secret. $site_secret would be a kind of key; a static value hidden away from everything else that would be added as a string on the password. (for this example the salt will be the word 'key')

 

so... $password . $salt  will make a string of 'dogkey'. This will then produce a more secure hash.

 

What I want to do to make this even more secure is use another value that will be unique to that user, such as the username (for this example 'bob')

 

so... $password . $salt . $username will make a string of 'dogkeybob'. Then hash this using SHA256 to encrypt it which would then produce a unique hash.

 

I believe that my understanding of it is correct... but that is what I am hoping someone can tell me!!

 

Cheers

[knobby2k]

Maybe it is just me, but a salt seems useless.

 

asdfasdfasdf234s8jre45u30jgrg4u594jg09405g40j54oijgt4

asdfasdfasdffgrgjpwoijg4j5j4oit5j45[4509j509jgt59j43955t

asdfasdfasdf45piowt5g945g05h56h955h9y596696hjboiere

asdfasdfasdfwerf8sorj4458jrsrrtjo5jtierjtj84j5tejrtp8gjgjg48

 

If you are smart, you will notice that all of these have the same thing in common, they all begin with:

asdfasdfasdf

 

As long as you know to remove that, you can now decrypt it (if you know how).

 

Maybe it is me, but am I going about that theory wrong?

 

by your description above it sounds like your salt is asdfasdfasdf and then stuck this on the beginning of a hashed password (if i am right). what I actually mean is add the salt to the end of the password before hashing the entire thing.

[spiderwell]

i think what you are suggesting is fine really, it would put off most casual attempts to break in, and like stated, how 'important' is your site, is it really going to attract people who  want to access the data, its not like you are a bank or the playstation network

[Zurev]

I would use blowfish, depending on the amount of rounds it can take up to a second to process, blowing brute forcing out of the water.

 

The salts essentially take rainbow tables out of the equation, in the sense that if we both have the password "abcdef", they will be concatenated with the salt,

and then hashed, so we will have two entirely different hashes for the same password.

 

Here's an example static class I made for a project a bit ago, maybe not the most secure, but I found it fine for my project:

class passPhrase
{
    private static $algorithm = "\$2a";
    private static $rounds    = "\$10";
    private static $method    = "BLOWFISH";

    public static function uniqueSalt($length=22, $chars="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789")
    {
        $theSalt = "";
        
        for ($i=1; $i<=$length; $i++)
        {
            $theSalt .= substr($chars, mt_rand(0, strlen($chars)), 1);
        }
        
        return $theSalt;
    }

    public static function hashPassword($password, $salt=NULL)
    {
        if (is_null($salt))
        {
            $salt = self::uniqueSalt();
        }

        // @todo Make this check if BLOWFISH is/isn't available, and if not use a different
        // method of encryption
        $salt = self::$algorithm.self::$rounds.'$'.$salt;
        return crypt($password, $salt);
    }

    public static function validatePassphrase($userInput, $passwordHash, $salt)
    {
        if (crypt($userInput, $salt)===$passwordHash)
        {
            return TRUE;
        } else {
            return FALSE;
        }
    }
}

[Pikachu2000]

Are you using SSL for logins? If not, you may as well not even bother hashing the passwords. I mean what's the point of going through all the trouble of salting, and using a strong hashing algorithm like SHA256 if the passwords are going to be traversing the wire in clear text?

[Zurev]

Are you using SSL for logins? If not, you may as well not even bother hashing the passwords. I mean what's the point of going through all the trouble of salting, and using a strong hashing algorithm like SHA256 if the passwords are going to be traversing the wire in clear text?

 

You're saying he shouldn't even hash passwords if he isn't using an SSL certificate? That is such flawed logic, a HUGE amount of websites don't use SSL in their logins, including this one.

[Pikachu2000]

I'm saying there's not much point in designing a fancy hashing/salting/encryption routine to store the passwords if they're going to be sent in clear text over the internet. I'm trying to make the point that security is only as strong as the weakest link, and in the case of most websites that weakest link IS the lack of SSL for sending login credentials, etc.

[phpSensei]

I always thought this script explained it pretty well, from PHP security Consortium

 

<?php

define('SALT_LENGTH', 9);

function generateHash($plainText, $salt = null)
{
    if ($salt === null)
    {
        $salt = substr(md5(uniqid(rand(), true)), 0, SALT_LENGTH);
    }
    else
    {
        $salt = substr($salt, 0, SALT_LENGTH);
    }

    return $salt . sha1($salt . $plainText);
}

?>

[phpSensei]

I'm saying there's not much point in designing a fancy hashing/salting/encryption routine to store the passwords if they're going to be sent in clear text over the internet. I'm trying to make the point that security is only as strong as the weakest link, and in the case of most websites that weakest link IS the lack of SSL for sending login credentials, etc.

 

OpenSSL ftw!

[knobby2k]

Hey could you explain what that code is actually doing please? i'm still learning this so can't quite make sense of it all yet.

 

Cheers

 

I always thought this script explained it pretty well, from PHP security Consortium

 

<?php

define('SALT_LENGTH', 9);

function generateHash($plainText, $salt = null)
{
    if ($salt === null)
    {
        $salt = substr(md5(uniqid(rand(), true)), 0, SALT_LENGTH);
    }
    else
    {
        $salt = substr($salt, 0, SALT_LENGTH);
    }

    return $salt . sha1($salt . $plainText);
}

?>

[jonsjava]

Just for fun, here's a different approach to hashing:

function DeepCrypt($salt,$string){
$first_run = md5($string.$salt);
$second_run = str_replace(array("a","2","3"),"",$first_run);
$third_run = md5($second_run.$salt);
return $third_run;
}

Don't really need to do this, but if you're worried about having your hashes reversed, this should clear that up.