Jump to content

Size of Hash?

doubledee

By doubledee
in PHP Coding Help

 Share

Recommended Posts

doubledee Advanced Member

doubledee

Posted
Posted

What is the size of the output of this function...

 

		$currHash = hash_hmac('sha512', $pass . $salt, VINEGAR);

 

 

I looked in the manual at hash_hmac() but didn't see anything?!

 

I want to make sure that my database field is big enough to handle things.

 

My Password can be between 8-15 characters, for what it is worth...

 

 

Debbie

 

 

Link to comment
Share on other sites
DavidAM Member

DavidAM

Posted
Posted

The size of the hash returned by hash_hmac() is controlled by the chosen algorithm, in this case SHA 512. So, you would have to look up that algorithm to get the answer (I don't know what it is).

 

I think what Pikachu was saying is to run strlen() against the result and it will tell you the size. For any given algorithm (md5, sha1, etc.) the result will always be the same length for that algorithm, regardless of the input string (or file).

 

 

 

Link to comment
Share on other sites
doubledee Advanced Member

doubledee

Posted
  • Author
Posted

The size of the hash returned by hash_hmac() is controlled by the chosen algorithm, in this case SHA 512. So, you would have to look up that algorithm to get the answer (I don't know what it is).

 

I think what Pikachu was saying is to run strlen() against the result and it will tell you the size. For any given algorithm (md5, sha1, etc.) the result will always be the same length for that algorithm, regardless of the input string (or file).

 

I took his advice and got 128.

 

I was just wondering why I didn't see it in the Manual, but you answered that part for me.

 

So, I have a char(128) for my hash so I assume that is what I want/need, right?

 

 

Debbie

 

 

Link to comment
Share on other sites
DavidAM Member

DavidAM

Posted
Posted 

		$currHash = hash_hmac('sha512', $pass . $salt, VINEGAR);

 

That should do it. But what is that VINEGAR there? The fourth parameter is a boolean indicating whether you want raw (binary) output or not.  Unless VINEGAR is a constant with a value of FALSE, you are getting raw data back, which would be 1/2 the length of the printable value.

Link to comment
Share on other sites
doubledee Advanced Member

doubledee

Posted
  • Author
Posted 

		$currHash = hash_hmac('sha512', $pass . $salt, VINEGAR);

 

That should do it. But what is that VINEGAR there? The fourth parameter is a boolean indicating whether you want raw (binary) output or not.  Unless VINEGAR is a constant with a value of FALSE, you are getting raw data back, which would be 1/2 the length of the printable value.

 

Ah man, don't go break my code at this late stage?!

 

I dunno...

 

I was told that this code would be the most secure way to create a Hash...  :shrug:

 

		$currHash = hash_hmac('sha512', $pass . $salt, VINEGAR);

 

 

It has been working for the last several months, and I thought it was right?!

 

Did someone give me wrong information???  :'(

 

 

Debbie

 

 

Link to comment
Share on other sites
doubledee Advanced Member

doubledee

Posted
  • Author
Posted 

		$currHash = hash_hmac('sha512', $pass . $salt, VINEGAR);

 

That should do it. But what is that VINEGAR there? The fourth parameter is a boolean indicating whether you want raw (binary) output or not.  Unless VINEGAR is a constant with a value of FALSE, you are getting raw data back, which would be 1/2 the length of the printable value.

 

If you look closer, you'll see I have 3 parameters and not 4...

 

 

Debbie

 

Link to comment
Share on other sites
scootstah Member

scootstah

Posted
Posted

My Password can be between 8-15 characters, for what it is worth...

 

Don't set a maximum limit on the password. There is literally no reason to do that, and you're just going to annoy people. The hash will always be the same size regardless of the input.

Link to comment
Share on other sites
doubledee Advanced Member

doubledee

Posted
  • Author
Posted

My Password can be between 8-15 characters, for what it is worth...

 

Don't set a maximum limit on the password. There is literally no reason to do that, and you're just going to annoy people. The hash will always be the same size regardless of the input.

 

Interesting side note...

 

So if someone types in a PARAGRAPH for his/her Password, it won't break anything?!  :confused:

 

 

It is funny you mentioned this, because I JUST spent a lot of time changing all of my HTML Forms from 40 to 15 because I thought I had made a mistake and that I should limit the upper size since that is what is defined in my Regex.

 

Hmmm.....

 

 

Debbie

 

 

 

Link to comment
Share on other sites
scootstah Member

scootstah

Posted
Posted
So if someone types in a PARAGRAPH for his/her Password, it won't break anything?!  :confused:

 

No. Hashes are commonly used to verify the integrity of files, which could be millions of bytes. Do you really think that small amount of data is going to hurt anything?

Link to comment
Share on other sites
doubledee Advanced Member

doubledee

Posted
  • Author
Posted

So if someone types in a PARAGRAPH for his/her Password, it won't break anything?!  :confused:

 

No. Hashes are commonly used to verify the integrity of files, which could be millions of bytes. Do you really think that small amount of data is going to hurt anything?

 

Sure!!

 

How can you take a PARAGRAPH and hash it or whatever and stick it into a char(128) field and not lose anything and not have any collisions?!

 

If my field was char(2) and I had a set of passwords that was each the contents of books in the local library, there is NO WAY you could not have collisions?!  :o

 

 

Debbie

 

Link to comment
Share on other sites
scootstah Member

scootstah

Posted
Posted

How can you take a PARAGRAPH and hash it or whatever and stick it into a char(128) field and not lose anything and not have any collisions?!

 

Because that's what hash algorithms are designed to do.

 

There is just as much chance to get a collision from hashing "a" and "b" than there is from hashing the content from two different books.

Link to comment
Share on other sites
doubledee Advanced Member

doubledee

Posted
  • Author
Posted

How can you take a PARAGRAPH and hash it or whatever and stick it into a char(128) field and not lose anything and not have any collisions?!

 

Because that's what hash algorithms are designed to do.

 

There is just as much chance to get a collision from hashing "a" and "b" than there is from hashing the content from two different books.

 

Okay, I get what you are saying, but there still needs to be some upper limit because of my Form Fields, right?

 

I mean I guess you can leave off "maxlength", but it seems like bad form - no pun intended - to not limit the size of Form Fields...

 

Maybe I could switch things back to something like this...

 

<!-- Password2 -->

<label for="pass2"><b>*</b>Confirm Password:</label>

<input id="pass2" name="pass2" type="password" maxlength="40" />

 

 

 

Debbie

 

 

Link to comment
Share on other sites
kicken Prolific Member

kicken

Posted
Posted

Okay, I get what you are saying, but there still needs to be some upper limit because of my Form Fields, right?

 

I mean I guess you can leave off "maxlength", but it seems like bad form - no pun intended - to not limit the size of Form Fields...

 

No, it isn't.  There is no requirement that you limit a form field's length.  I hardly ever use the maxlength attribute in my HTML.  Only for things like a zipcode or when I want a two-letter state abbreviation pretty much.  I always just enforce a length in the PHP if it is required, let the user submit whatever they want.

 

In the particular case of passwords, I don't enforce any type of maximum length, only minimum.  If a user wants to write out a book for their password, so be it.  I will use small phrases for my passwords typically, provided the site lets me.  It's quite annoying when a site rejects a password because it's two long or contains an "invalid" character.

 

Link to comment
Share on other sites
scootstah Member

scootstah

Posted
Posted

I mean I guess you can leave off "maxlength", but it seems like bad form - no pun intended - to not limit the size of Form Fields...

 

Just so you're aware, "maxlength" is purely visual feedback to the user. It is easily circumvented and offers no other use. If you want to enforce minimum lengths, you must do it with PHP.

 

It's quite annoying when a site rejects a password because it's two long or contains an "invalid" character.

 

Which brings up another good point. You don't need to filter out characters for passwords either, since it's going to be hashed. It can't cause SQL injection because it is hashed before it gets there, and it can't cause XSS because you won't ever be displaying it in plaintext. So, again, there's no logical reason to filter characters.

Link to comment
Share on other sites
doubledee Advanced Member

doubledee

Posted
  • Author
Posted

Just so you're aware, "maxlength" is purely visual feedback to the user. It is easily circumvented and offers no other use. If you want to enforce minimum lengths, you must do it with PHP.

 

But when combined with PHP validation, MaxLength helps you to get the cleanest data the first time...

 

 

It's quite annoying when a site rejects a password because it's two long or contains an "invalid" character.

 

So how wide - physically - should I make my Password field?

 

Maybe it doesn't even matter since the User can't see what they are typing?!

 

 

Which brings up another good point. You don't need to filter out characters for passwords either, since it's going to be hashed. It can't cause SQL injection because it is hashed before it gets there, and it can't cause XSS because you won't ever be displaying it in plaintext. So, again, there's no logical reason to filter characters.

 

Regex can be used to ensure Password-Strength...

 

 

Debbie

 

Link to comment
Share on other sites
xyph Advanced Member

xyph

Posted
Posted

Don't forget that

'the quick brown fox jumped over the lazy dog'

is WAY more complex password than

'#$az8Q{mw'

 

The only time you really need RegEx to ensure complexity is if the password is shorter than ~10 characters. Anything more than 10 characters is 'complex enough' by length alone.

 

10 character password using only lower-case letters contains 141 trillion combinations. Even at a million hashes a second, it'd take 4.5 years to test every combination, over a year to test 25% of the combinations.

 

Why is this not documented in hash_hmac() ??

 

 

Debbie

 

Because it changes, depending on the size of the hash, and how you want the data returned. For hex, simply divide the bit-size by 4. For base64 it gets a little more complicated, but the size will still be static.

Link to comment
Share on other sites
Psycho Prolific Member

Psycho

Posted
Posted

Anything more than 10 characters is 'complex enough' by length alone.

 

10 character password using only lower-case letters contains 141 trillion combinations. Even at a million hashes a second, it'd take 4.5 years to test every combination, over a year to test 25% of the combinations.

 

I disagree with that. If a malicious user is trying to hack a hashed password they will use common words/phrases before they start using something like "#$az8Q{mw". But, I would not suggest enforcing complexity to the user (unless it was a financial site). At some point you have to put some responsibility on the user.

 

 

So how wide - physically - should I make my Password field?

 

 

The same length as the username field. It's visually appealing for them to line up.

 

That is the visual width of the element - which is not related to the length (i.e. how many character the field will accept)

Link to comment
Share on other sites
Jessica Advanced Member

Jessica

Posted
Posted

She asked how wide "physically".

 

I can't think of any other "physcial" way a form field can be described in length then the visual width of it. Especially after she was told not to limit it at all using maxlen.

Link to comment
Share on other sites
xyph Advanced Member

xyph

Posted
Posted

I disagree with that. If a malicious user is trying to hack a hashed password they will use common words/phrases before they start using something like "#$az8Q{mw". But, I would not suggest enforcing complexity to the user (unless it was a financial site). At some point you have to put some responsibility on the user.

 

As far as common, insecure passwords go, a vast minority of them use 10 or more characters.

 

If you'd like, replace the quick brown fox with a song lyric, a movie phrase, or anything else of similar size. You'd have to get a pretty comprehensive, maybe even custom password list to include that quick brown fox phrase anyway.

 

My point was, you can make very complex passwords without following a scheme some developer decided was best for it. Many banks, Facebook, Blizzard, etc don't even bother with case-sensitive passwords any more. The caps-lock key was too much support time to deal with, and the added entropy of 26 additional choices per character doesn't mean much on a 10-character password for implementation's sake.

 

4 years or 40, by the time the password is cracked, it's pretty useless.

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.