Jump to content

Recommended Posts

What is the best function to use when hashing passwords? I've looked on php.net and they tell you on there to stay away from sha1() and md5().

 

I read also about hash() and crypt() and from what I read decided to go with crypt().

 

I don't really understand the hash types of this function though.

 

Can anyone pelase explain a little on this or even the best way to encrypt your passwords?

 

Kind regards,

 

L2c.

Link to comment
https://forums.phpfreaks.com/topic/272725-securing-my-passwords/
Share on other sites

http://crackstation.net/hashing-security.htm the last time i checked that site it was down but it has a very good tutorial on how to hash and sal a password.

i use there sample code but it will be better if you read from him first on how he explains that code.

   public static function create_hash($password) {
    // format: algorithm:iterations:salt:hash
    $salt = base64_encode(mcrypt_create_iv(PBKDF2_SALT_BYTES, MCRYPT_DEV_URANDOM));
    return PBKDF2_HASH_ALGORITHM . ":" . PBKDF2_ITERATIONS . ":" . $salt . ":" .
		    base64_encode(self::pbkdf2(
						    PBKDF2_HASH_ALGORITHM, $password, $salt, PBKDF2_ITERATIONS, PBKDF2_HASH_BYTES, true
				    ));
   }
   private static function pbkdf2($algorithm, $password, $salt, $count, $key_length, $raw_output = false) {
    $algorithm = strtolower($algorithm);
    if (!in_array($algorithm, hash_algos(), true))
	    die('PBKDF2 ERROR: Invalid hash algorithm.');
    if ($count <= 0 || $key_length <= 0)
	    die('PBKDF2 ERROR: Invalid parameters.');
    $hash_length = strlen(hash($algorithm, "", true));
    $block_count = ceil($key_length / $hash_length);
    $output = "";
    for ($i = 1; $i <= $block_count; $i++) {
	    // $i encoded as 4 bytes, big endian.
	    $last = $salt . pack("N", $i);
	    // first iteration
	    $last = $xorsum = hash_hmac($algorithm, $last, $password, true);
	    // perform the other $count - 1 iterations
	    for ($j = 1; $j < $count; $j++) {
		    $xorsum ^= ( $last = hash_hmac($algorithm, $last, $password, true));
	    }
	    $output .= $xorsum;
    }
    if ($raw_output)
	    return substr($output, 0, $key_length);
    else
	    return bin2hex(substr($output, 0, $key_length));
   }
   public static function validate_password($password, $good_hash) {
    $params = explode(":", $good_hash);
    if (count($params) < HASH_SECTIONS)
	    return false;
    $pbkdf2 = base64_decode($params[HASH_PBKDF2_INDEX]);
    return self::slow_equals(
				    $pbkdf2, self::pbkdf2(
						    $params[HASH_ALGORITHM_INDEX], $password, $params[HASH_SALT_INDEX], (int) $params[HASH_ITERATION_INDEX], strlen($pbkdf2), true
				    )
    );
   }
   private static function slow_equals($a, $B) {
    $diff = strlen($a) ^ strlen($B);
    for ($i = 0; $i < strlen($a) && $i < strlen($B); $i++) {
	    $diff |= ord($a[$i]) ^ ord($b[$i]);
    }
    return $diff === 0;
   }

crypt() uses "rounds" to hash. This means that instead of hashing once and done, like sha1() or md5() do, it will recursively hash N times. It also adds the salt to the end result.

 

But, the big thing is that it supports the Blowfish algorithm, which is very strong and takes a long time to run.

 

If you don't know what you're doing, use a third-party library from someone who does. One of the more reknowned ones is PHPass, but a few others exist as well.

http://crackstation....ng-security.htm the last time i checked that site it was down but it has a very good tutorial on how to hash and sal a password.

i use there sample code but it will be better if you read from him first on how he explains that code.

public static function create_hash($password) {
 // format: algorithm:iterations:salt:hash
 $salt = base64_encode(mcrypt_create_iv(PBKDF2_SALT_BYTES, MCRYPT_DEV_URANDOM));
 return PBKDF2_HASH_ALGORITHM . ":" . PBKDF2_ITERATIONS . ":" . $salt . ":" .
		 base64_encode(self::pbkdf2(
						 PBKDF2_HASH_ALGORITHM, $password, $salt, PBKDF2_ITERATIONS, PBKDF2_HASH_BYTES, true
				 ));
}
private static function pbkdf2($algorithm, $password, $salt, $count, $key_length, $raw_output = false) {
 $algorithm = strtolower($algorithm);
 if (!in_array($algorithm, hash_algos(), true))
	 die('PBKDF2 ERROR: Invalid hash algorithm.');
 if ($count <= 0 || $key_length <= 0)
	 die('PBKDF2 ERROR: Invalid parameters.');
 $hash_length = strlen(hash($algorithm, "", true));
 $block_count = ceil($key_length / $hash_length);
 $output = "";
 for ($i = 1; $i <= $block_count; $i++) {
	 // $i encoded as 4 bytes, big endian.
	 $last = $salt . pack("N", $i);
	 // first iteration
	 $last = $xorsum = hash_hmac($algorithm, $last, $password, true);
	 // perform the other $count - 1 iterations
	 for ($j = 1; $j < $count; $j++) {
		 $xorsum ^= ( $last = hash_hmac($algorithm, $last, $password, true));
	 }
	 $output .= $xorsum;
 }
 if ($raw_output)
	 return substr($output, 0, $key_length);
 else
	 return bin2hex(substr($output, 0, $key_length));
}
public static function validate_password($password, $good_hash) {
 $params = explode(":", $good_hash);
 if (count($params) < HASH_SECTIONS)
	 return false;
 $pbkdf2 = base64_decode($params[HASH_PBKDF2_INDEX]);
 return self::slow_equals(
				 $pbkdf2, self::pbkdf2(
						 $params[HASH_ALGORITHM_INDEX], $password, $params[HASH_SALT_INDEX], (int) $params[HASH_ITERATION_INDEX], strlen($pbkdf2), true
				 )
 );
}
private static function slow_equals($a, $B) {
 $diff = strlen($a) ^ strlen($B);
 for ($i = 0; $i < strlen($a) && $i < strlen($B); $i++) {
	 $diff |= ord($a[$i]) ^ ord($b[$i]);
 }
 return $diff === 0;
}

 

Hello 50r

 

That code is just far too complicated for me to understand right now, I'm very new to PHP.

 

It seems like it isn't just a simple task then if you want to do it properly?

 

Regards,

 

L2c.

crypt() uses "rounds" to hash. This means that instead of hashing once and done, like sha1() or md5() do, it will recursively hash N times. It also adds the salt to the end result.

 

But, the big thing is that it supports the Blowfish algorithm, which is very strong and takes a long time to run.

 

If you don't know what you're doing, use a third-party library from someone who does. One of the more reknowned ones is PHPass, but a few others exist as well.

 

Is this not something I can just do with PHP native functions? Obviously I'll read up about how to do a basic hash and then improve upon that. Does it become too complicated with just the native PHP functions then?

 

Regards,

 

L2c.

Ok, I've done what it's said and required the file in my script. I notice when I opened up the PasswordHash.php that is it written in PDO. Does this mean i'll have to use PDO to call the functions etc or can I do it in a prodedural way?

 

Regards,

 

L2c.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.