doubledee Posted July 2, 2012 Share Posted July 2, 2012 What is the size of the output of this function... $currHash = hash_hmac('sha512', $pass . $salt, VINEGAR); I looked in the manual at hash_hmac() but didn't see anything?! I want to make sure that my database field is big enough to handle things. My Password can be between 8-15 characters, for what it is worth... Debbie Quote Link to comment Share on other sites More sharing options...
Pikachu2000 Posted July 2, 2012 Share Posted July 2, 2012 strlen Quote Link to comment Share on other sites More sharing options...
doubledee Posted July 2, 2012 Author Share Posted July 2, 2012 strlen Why is this not documented in hash_hmac() ?? Debbie Quote Link to comment Share on other sites More sharing options...
DavidAM Posted July 2, 2012 Share Posted July 2, 2012 The size of the hash returned by hash_hmac() is controlled by the chosen algorithm, in this case SHA 512. So, you would have to look up that algorithm to get the answer (I don't know what it is). I think what Pikachu was saying is to run strlen() against the result and it will tell you the size. For any given algorithm (md5, sha1, etc.) the result will always be the same length for that algorithm, regardless of the input string (or file). Quote Link to comment Share on other sites More sharing options...
doubledee Posted July 2, 2012 Author Share Posted July 2, 2012 The size of the hash returned by hash_hmac() is controlled by the chosen algorithm, in this case SHA 512. So, you would have to look up that algorithm to get the answer (I don't know what it is). I think what Pikachu was saying is to run strlen() against the result and it will tell you the size. For any given algorithm (md5, sha1, etc.) the result will always be the same length for that algorithm, regardless of the input string (or file). I took his advice and got 128. I was just wondering why I didn't see it in the Manual, but you answered that part for me. So, I have a char(128) for my hash so I assume that is what I want/need, right? Debbie Quote Link to comment Share on other sites More sharing options...
DavidAM Posted July 2, 2012 Share Posted July 2, 2012 $currHash = hash_hmac('sha512', $pass . $salt, VINEGAR); That should do it. But what is that VINEGAR there? The fourth parameter is a boolean indicating whether you want raw (binary) output or not. Unless VINEGAR is a constant with a value of FALSE, you are getting raw data back, which would be 1/2 the length of the printable value. Quote Link to comment Share on other sites More sharing options...
doubledee Posted July 2, 2012 Author Share Posted July 2, 2012 $currHash = hash_hmac('sha512', $pass . $salt, VINEGAR); That should do it. But what is that VINEGAR there? The fourth parameter is a boolean indicating whether you want raw (binary) output or not. Unless VINEGAR is a constant with a value of FALSE, you are getting raw data back, which would be 1/2 the length of the printable value. Ah man, don't go break my code at this late stage?! I dunno... I was told that this code would be the most secure way to create a Hash... $currHash = hash_hmac('sha512', $pass . $salt, VINEGAR); It has been working for the last several months, and I thought it was right?! Did someone give me wrong information??? :'( Debbie Quote Link to comment Share on other sites More sharing options...
doubledee Posted July 2, 2012 Author Share Posted July 2, 2012 $currHash = hash_hmac('sha512', $pass . $salt, VINEGAR); That should do it. But what is that VINEGAR there? The fourth parameter is a boolean indicating whether you want raw (binary) output or not. Unless VINEGAR is a constant with a value of FALSE, you are getting raw data back, which would be 1/2 the length of the printable value. If you look closer, you'll see I have 3 parameters and not 4... Debbie Quote Link to comment Share on other sites More sharing options...
scootstah Posted July 2, 2012 Share Posted July 2, 2012 My Password can be between 8-15 characters, for what it is worth... Don't set a maximum limit on the password. There is literally no reason to do that, and you're just going to annoy people. The hash will always be the same size regardless of the input. Quote Link to comment Share on other sites More sharing options...
DavidAM Posted July 2, 2012 Share Posted July 2, 2012 If you look closer, you'll see I have 3 parameters and not 4... Oops! I thought that dot was a comma. You are right. Quote Link to comment Share on other sites More sharing options...
doubledee Posted July 2, 2012 Author Share Posted July 2, 2012 If you look closer, you'll see I have 3 parameters and not 4... Oops! I thought that dot was a comma. You are right. David, you will be getting a bill from my cardiologist?! Debbie Quote Link to comment Share on other sites More sharing options...
doubledee Posted July 2, 2012 Author Share Posted July 2, 2012 My Password can be between 8-15 characters, for what it is worth... Don't set a maximum limit on the password. There is literally no reason to do that, and you're just going to annoy people. The hash will always be the same size regardless of the input. Interesting side note... So if someone types in a PARAGRAPH for his/her Password, it won't break anything?! It is funny you mentioned this, because I JUST spent a lot of time changing all of my HTML Forms from 40 to 15 because I thought I had made a mistake and that I should limit the upper size since that is what is defined in my Regex. Hmmm..... Debbie Quote Link to comment Share on other sites More sharing options...
scootstah Posted July 2, 2012 Share Posted July 2, 2012 So if someone types in a PARAGRAPH for his/her Password, it won't break anything?! No. Hashes are commonly used to verify the integrity of files, which could be millions of bytes. Do you really think that small amount of data is going to hurt anything? Quote Link to comment Share on other sites More sharing options...
doubledee Posted July 2, 2012 Author Share Posted July 2, 2012 So if someone types in a PARAGRAPH for his/her Password, it won't break anything?! No. Hashes are commonly used to verify the integrity of files, which could be millions of bytes. Do you really think that small amount of data is going to hurt anything? Sure!! How can you take a PARAGRAPH and hash it or whatever and stick it into a char(128) field and not lose anything and not have any collisions?! If my field was char(2) and I had a set of passwords that was each the contents of books in the local library, there is NO WAY you could not have collisions?! Debbie Quote Link to comment Share on other sites More sharing options...
scootstah Posted July 2, 2012 Share Posted July 2, 2012 How can you take a PARAGRAPH and hash it or whatever and stick it into a char(128) field and not lose anything and not have any collisions?! Because that's what hash algorithms are designed to do. There is just as much chance to get a collision from hashing "a" and "b" than there is from hashing the content from two different books. Quote Link to comment Share on other sites More sharing options...
doubledee Posted July 2, 2012 Author Share Posted July 2, 2012 How can you take a PARAGRAPH and hash it or whatever and stick it into a char(128) field and not lose anything and not have any collisions?! Because that's what hash algorithms are designed to do. There is just as much chance to get a collision from hashing "a" and "b" than there is from hashing the content from two different books. Okay, I get what you are saying, but there still needs to be some upper limit because of my Form Fields, right? I mean I guess you can leave off "maxlength", but it seems like bad form - no pun intended - to not limit the size of Form Fields... Maybe I could switch things back to something like this... <!-- Password2 --> <label for="pass2"><b>*</b>Confirm Password:</label> <input id="pass2" name="pass2" type="password" maxlength="40" /> Debbie Quote Link to comment Share on other sites More sharing options...
kicken Posted July 2, 2012 Share Posted July 2, 2012 Okay, I get what you are saying, but there still needs to be some upper limit because of my Form Fields, right? I mean I guess you can leave off "maxlength", but it seems like bad form - no pun intended - to not limit the size of Form Fields... No, it isn't. There is no requirement that you limit a form field's length. I hardly ever use the maxlength attribute in my HTML. Only for things like a zipcode or when I want a two-letter state abbreviation pretty much. I always just enforce a length in the PHP if it is required, let the user submit whatever they want. In the particular case of passwords, I don't enforce any type of maximum length, only minimum. If a user wants to write out a book for their password, so be it. I will use small phrases for my passwords typically, provided the site lets me. It's quite annoying when a site rejects a password because it's two long or contains an "invalid" character. Quote Link to comment Share on other sites More sharing options...
scootstah Posted July 2, 2012 Share Posted July 2, 2012 I mean I guess you can leave off "maxlength", but it seems like bad form - no pun intended - to not limit the size of Form Fields... Just so you're aware, "maxlength" is purely visual feedback to the user. It is easily circumvented and offers no other use. If you want to enforce minimum lengths, you must do it with PHP. It's quite annoying when a site rejects a password because it's two long or contains an "invalid" character. Which brings up another good point. You don't need to filter out characters for passwords either, since it's going to be hashed. It can't cause SQL injection because it is hashed before it gets there, and it can't cause XSS because you won't ever be displaying it in plaintext. So, again, there's no logical reason to filter characters. Quote Link to comment Share on other sites More sharing options...
doubledee Posted July 2, 2012 Author Share Posted July 2, 2012 Just so you're aware, "maxlength" is purely visual feedback to the user. It is easily circumvented and offers no other use. If you want to enforce minimum lengths, you must do it with PHP. But when combined with PHP validation, MaxLength helps you to get the cleanest data the first time... It's quite annoying when a site rejects a password because it's two long or contains an "invalid" character. So how wide - physically - should I make my Password field? Maybe it doesn't even matter since the User can't see what they are typing?! Which brings up another good point. You don't need to filter out characters for passwords either, since it's going to be hashed. It can't cause SQL injection because it is hashed before it gets there, and it can't cause XSS because you won't ever be displaying it in plaintext. So, again, there's no logical reason to filter characters. Regex can be used to ensure Password-Strength... Debbie Quote Link to comment Share on other sites More sharing options...
xyph Posted July 2, 2012 Share Posted July 2, 2012 Don't forget that 'the quick brown fox jumped over the lazy dog' is WAY more complex password than '#$az8Q{mw' The only time you really need RegEx to ensure complexity is if the password is shorter than ~10 characters. Anything more than 10 characters is 'complex enough' by length alone. 10 character password using only lower-case letters contains 141 trillion combinations. Even at a million hashes a second, it'd take 4.5 years to test every combination, over a year to test 25% of the combinations. Why is this not documented in hash_hmac() ?? Debbie Because it changes, depending on the size of the hash, and how you want the data returned. For hex, simply divide the bit-size by 4. For base64 it gets a little more complicated, but the size will still be static. Quote Link to comment Share on other sites More sharing options...
Jessica Posted July 2, 2012 Share Posted July 2, 2012 So how wide - physically - should I make my Password field? The same length as the username field. It's visually appealing for them to line up. Quote Link to comment Share on other sites More sharing options...
Psycho Posted July 2, 2012 Share Posted July 2, 2012 Anything more than 10 characters is 'complex enough' by length alone. 10 character password using only lower-case letters contains 141 trillion combinations. Even at a million hashes a second, it'd take 4.5 years to test every combination, over a year to test 25% of the combinations. I disagree with that. If a malicious user is trying to hack a hashed password they will use common words/phrases before they start using something like "#$az8Q{mw". But, I would not suggest enforcing complexity to the user (unless it was a financial site). At some point you have to put some responsibility on the user. So how wide - physically - should I make my Password field? The same length as the username field. It's visually appealing for them to line up. That is the visual width of the element - which is not related to the length (i.e. how many character the field will accept) Quote Link to comment Share on other sites More sharing options...
Jessica Posted July 2, 2012 Share Posted July 2, 2012 She asked how wide "physically". I can't think of any other "physcial" way a form field can be described in length then the visual width of it. Especially after she was told not to limit it at all using maxlen. Quote Link to comment Share on other sites More sharing options...
xyph Posted July 2, 2012 Share Posted July 2, 2012 I disagree with that. If a malicious user is trying to hack a hashed password they will use common words/phrases before they start using something like "#$az8Q{mw". But, I would not suggest enforcing complexity to the user (unless it was a financial site). At some point you have to put some responsibility on the user. As far as common, insecure passwords go, a vast minority of them use 10 or more characters. If you'd like, replace the quick brown fox with a song lyric, a movie phrase, or anything else of similar size. You'd have to get a pretty comprehensive, maybe even custom password list to include that quick brown fox phrase anyway. My point was, you can make very complex passwords without following a scheme some developer decided was best for it. Many banks, Facebook, Blizzard, etc don't even bother with case-sensitive passwords any more. The caps-lock key was too much support time to deal with, and the added entropy of 26 additional choices per character doesn't mean much on a 10-character password for implementation's sake. 4 years or 40, by the time the password is cracked, it's pretty useless. Quote Link to comment Share on other sites More sharing options...
scootstah Posted July 2, 2012 Share Posted July 2, 2012 Regex can be used to ensure Password-Strength... Have a look at this xkcd comic to see why you're wrong. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.