Php And Hashing For Login/registration

[devilsvein]

Hi guys,

 

On my registration page I have this code:

 

function myhash($password, $unique_salt) 
   {  
    $salt = "f#@V)Hu^%Hgfds";  
     $hash = sha1($unique_salt . $password);  
    // make it take 1000 times longer  
    for ($i = 0; $i < 1000; $i++) {  
        $hash = sha1($hash);  
    }  
    return $hash;  
   }  
   function unique_salt() 
   {  
   return substr(sha1(mt_rand()),0,22);  
   } 


   $phash = myhash($password, unique_salt()); 

 

I don't know what to do for the logjn page authentication to ensure I get the same hash code for validation. Would really appreciate the help if someone can post a solution or a alternative answer.

 

Thanks! (btw i did try using phpass but couldn't get it to work if anyone suggests that)

[Christian F.]

I'll do you one better: If you post the code and error message you got when trying with PHPpass, I'll help you get that running.

 

You have a couple of weaknesses with your current method:

1. You preferably should be using something stronger than SHA1, as SHA1 has been broken and is no longer fit for ensuring security in this manner.
   
2. Always add the salt when doing a multi-pass hash, otherwise it's just as open to Rainbow-table style attacks as with a single pass.
   
3. You should preferably be using mcrypt_create_iv () or some other, properly random, source for the unique salt. mt_rand () is not properly random, though it is a bit better than straight up rand (), and thus shouldn't be used for security purposes.
   
4. The user's individual salt needs to be stored in the table, along with the username and password.

[devilsvein]

thanks for your reply!

 

I did go back to using phpass and managed to place this in;

 

if( $page_mode == 'Login' )
{
require "globe.php"; //db connect
   $username = htmlentities($_POST['username']);
   $username = mysqli_real_escape_string($mysqli, $username);
   $password = $_POST['password'];
   $query = mysqli_query($mysqli, "SELECT * FROM Persons WHERE Username = '$username'");
   $row = mysqli_fetch_assoc($query);
   $numrows = mysqli_num_rows($query);
   $dbuser = $row['Username'];
   $dbpass = $row['Password'];
   $hash_cost_log2 = 8;
   // Do we require the hashes to be portable to older systems (less secure)?
   $hash_portable = FALSE;
   $hasher = new PasswordHash($hash_cost_log2, $hash_portable);



       if( ($username == '') || ($password == '') ) {
           $error_string .= '<font color=red>You have left either the username or password field blank!</font>';
           }
       else if ($numrows == 1)
       { 
       $hash = $hasher->HashPassword($password);
if ($hasher->CheckPassword($password, $hash)) 
{
$error_string .=  'Authentication succeeded';
} else {
$error_string .=   'Authentication failed';
//echo $pass
}



       }
       else 
       {
               $error_string .= '<font color=red>No username can be found! (2)</font>';

       }
   }

 

At the moment no error message appears however my checkpassword function always returns true....if a username and password are entered regardless of whether its right.

 

so i get authentication succeeded showing up