Hall of Famer Posted August 27, 2011 Share Posted August 27, 2011 This is what the password encryption code looks like: function passencr($username, $password){ $pepper = ******; //a hard-coded pepper. $salt = ******; //a customizable salt defined by user. $username = md5($username); $password = md5($password); $newpassword = sha1($username.$password); $finalpassword = sha1($pepper.$newpassword.$salt); return $finalpassword; } So in this script both username and password are encrypted with md5 and then joined together to further encrypt with sha1 method. The finalized string is a combination of the new string, pepper and salt. I wonder if this is secure enough and whether there is a way to improve it. Quote Link to comment Share on other sites More sharing options...
random1 Posted August 27, 2011 Share Posted August 27, 2011 "sha1" has been compromised and governments across the world and no longer using it. so I'd advise against it You should use: http://www.php.net/manual/en/function.hash.php (if you are using PHP 5.1.2 or above) Supported algorithms: http://www.php.net/manual/en/function.hash-algos.php I'm currently using "sha512" but may change that soon after more research. To get and indication of the performance of the hashing on your server try: [run the test when the server has full resources available] hash.php <?php define('HASH_TIMES', 1000); define('HASH_DATA', 'The quick brown fox jumped over!'); // 32 bytes header('Content-Type: text/plain'); echo 'Testing ' . strlen(HASH_DATA) . ' bytes of data over ' . HASH_TIMES . " iterations:\n"; foreach (hash_algos() as $algo) { $time = microtime(1); for ($i = 0; $i < HASH_TIMES; $i++) hash($algo, HASH_DATA); $results[$algo] = microtime(1) - $time; } $time = microtime(1); for ($i = 0; $i < HASH_TIMES; $i++) crc32(HASH_DATA); $results['crc32()'] = microtime(1) - $time; $time = microtime(1); for ($i = 0; $i < HASH_TIMES; $i++) md5(HASH_DATA); $results['md5()'] = microtime(1) - $time; $time = microtime(1); for ($i = 0; $i < HASH_TIMES; $i++) sha1(HASH_DATA); $results['sha1()'] = microtime(1) - $time; asort($results, SORT_NUMERIC); foreach ($results as $algo => $time) echo "\n$time\t$algo"; ?> This "performance" is not really equal to "security" so pick wisely Some reading: http://en.wikipedia.org/wiki/Secure_Hash_Algorithm All the Best!, - Deano Quote Link to comment Share on other sites More sharing options...
Hall of Famer Posted August 27, 2011 Author Share Posted August 27, 2011 I see, so changing sha1 to sha512 is a better idea? In the script I provided, both username and password are encrypted with md5 and then joined together by sha1 followed by another sha1 encryption with salt and pepper. Anyway do you think it improves security by encrypting passwords for more than one time? Quote Link to comment Share on other sites More sharing options...
random1 Posted August 27, 2011 Share Posted August 27, 2011 Encrypting more that once; say md5 then sha1; may seem good but it is really bad idea. It reduces security since it increases the chances of someone using a "rainbow table" and "hashing collision" to hone down on a password. I'd use sha512 (in the SHA2 family) once and choose a good salt for it. Also just a side note. try thinking hard about whether or not to encrypt the username or not. Because one way encrypting a username would mean that you couldn't display or use the username on your site. Really only passwords should be one way encrypted. Quote Link to comment Share on other sites More sharing options...
JasonLewis Posted August 27, 2011 Share Posted August 27, 2011 md5 and sha1 are not encryption methods, they are simply calculating the hash values of strings supplied. See the sticky at the top of this board: http://www.phpfreaks.com/forums/index.php/topic,254277.0.html Quote Link to comment Share on other sites More sharing options...
Hall of Famer Posted August 27, 2011 Author Share Posted August 27, 2011 Well the username is not really encrypted in a way that it cannot be displayed. The so-called username encryption is pretty much just like another salt or pepper that encrypts together with password. Thanks for your suggestion, I will give a try. I found this from the thread Jaysonic provided, is it a good idea to try the approach? function generateRandom($length = 32, $extraChars = false) { $chars = '0123456789abcdfghjkmnpqrstvwxyzABCDEFGHIJKLMNOPQRSTUVW'; if ($extraChars) { $chars .= '_-+=%&*\'"`\\()~@{}[]<>,.?#| '; } for ($i = 0, $charRange = strlen($chars)-1, $password = ''; $i < $length; $i++) { $password .= $chars[mt_rand(0, $charRange)]; } return $password; } function hashPassword($password, $salt, $salt2) { $salt2Length = strlen($salt2); for ($i = 0, $max = strlen($password); $i < $max; $i++) { $password[$i] = chr(ord($password[$i]) ^ ord($salt2[$i % $salt2Length])); } return hash('sha256', $salt . base64_encode($password)); } $salt = generateRandom(32, true); $salt2 = generateRandom(32, true); $password = 'goodJob'; $hash = hashPassword($password, $salt, $salt2); echo "Salt: {$salt}\nSalt 2: {$salt2}\nPassword: {$password}\nHash: {$hash}"; Quote Link to comment Share on other sites More sharing options...
Hall of Famer Posted August 27, 2011 Author Share Posted August 27, 2011 And btw, is using hard-coded pepper together with a random generated salt better than simply using salt or pepper alone? Quote Link to comment Share on other sites More sharing options...
random1 Posted August 28, 2011 Share Posted August 28, 2011 Well the username is not really encrypted in a way that it cannot be displayed. The so-called username encryption is pretty much just like another salt or pepper that encrypts together with password. Thanks for your suggestion, I will give a try. I found this from the thread Jaysonic provided, is it a good idea to try the approach? function generateRandom($length = 32, $extraChars = false) { $chars = '0123456789abcdfghjkmnpqrstvwxyzABCDEFGHIJKLMNOPQRSTUVW'; if ($extraChars) { $chars .= '_-+=%&*\'"`\\()~@{}[]<>,.?#| '; } for ($i = 0, $charRange = strlen($chars)-1, $password = ''; $i < $length; $i++) { $password .= $chars[mt_rand(0, $charRange)]; } return $password; } function hashPassword($password, $salt, $salt2) { $salt2Length = strlen($salt2); for ($i = 0, $max = strlen($password); $i < $max; $i++) { $password[$i] = chr(ord($password[$i]) ^ ord($salt2[$i % $salt2Length])); } return hash('sha256', $salt . base64_encode($password)); } $salt = generateRandom(32, true); $salt2 = generateRandom(32, true); $password = 'goodJob'; $hash = hashPassword($password, $salt, $salt2); echo "Salt: {$salt}\nSalt 2: {$salt2}\nPassword: {$password}\nHash: {$hash}"; Yeah that seems pretty solid. Just make sure you understand it first and then test, test, test! Quote: And btw, is using hard-coded pepper together with a random generated salt better than simply using salt or pepper alone? A) Hmmm I'm not sure. Maybe someone else knows this? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.