Love2c0de Posted January 5, 2013 Share Posted January 5, 2013 What is the best function to use when hashing passwords? I've looked on php.net and they tell you on there to stay away from sha1() and md5(). I read also about hash() and crypt() and from what I read decided to go with crypt(). I don't really understand the hash types of this function though. Can anyone pelase explain a little on this or even the best way to encrypt your passwords? Kind regards, L2c. Quote Link to comment https://forums.phpfreaks.com/topic/272725-securing-my-passwords/ Share on other sites More sharing options...
50r Posted January 5, 2013 Share Posted January 5, 2013 http://crackstation.net/hashing-security.htm the last time i checked that site it was down but it has a very good tutorial on how to hash and sal a password. i use there sample code but it will be better if you read from him first on how he explains that code. public static function create_hash($password) { // format: algorithm:iterations:salt:hash $salt = base64_encode(mcrypt_create_iv(PBKDF2_SALT_BYTES, MCRYPT_DEV_URANDOM)); return PBKDF2_HASH_ALGORITHM . ":" . PBKDF2_ITERATIONS . ":" . $salt . ":" . base64_encode(self::pbkdf2( PBKDF2_HASH_ALGORITHM, $password, $salt, PBKDF2_ITERATIONS, PBKDF2_HASH_BYTES, true )); } private static function pbkdf2($algorithm, $password, $salt, $count, $key_length, $raw_output = false) { $algorithm = strtolower($algorithm); if (!in_array($algorithm, hash_algos(), true)) die('PBKDF2 ERROR: Invalid hash algorithm.'); if ($count <= 0 || $key_length <= 0) die('PBKDF2 ERROR: Invalid parameters.'); $hash_length = strlen(hash($algorithm, "", true)); $block_count = ceil($key_length / $hash_length); $output = ""; for ($i = 1; $i <= $block_count; $i++) { // $i encoded as 4 bytes, big endian. $last = $salt . pack("N", $i); // first iteration $last = $xorsum = hash_hmac($algorithm, $last, $password, true); // perform the other $count - 1 iterations for ($j = 1; $j < $count; $j++) { $xorsum ^= ( $last = hash_hmac($algorithm, $last, $password, true)); } $output .= $xorsum; } if ($raw_output) return substr($output, 0, $key_length); else return bin2hex(substr($output, 0, $key_length)); } public static function validate_password($password, $good_hash) { $params = explode(":", $good_hash); if (count($params) < HASH_SECTIONS) return false; $pbkdf2 = base64_decode($params[HASH_PBKDF2_INDEX]); return self::slow_equals( $pbkdf2, self::pbkdf2( $params[HASH_ALGORITHM_INDEX], $password, $params[HASH_SALT_INDEX], (int) $params[HASH_ITERATION_INDEX], strlen($pbkdf2), true ) ); } private static function slow_equals($a, $B) { $diff = strlen($a) ^ strlen($B); for ($i = 0; $i < strlen($a) && $i < strlen($B); $i++) { $diff |= ord($a[$i]) ^ ord($b[$i]); } return $diff === 0; } Quote Link to comment https://forums.phpfreaks.com/topic/272725-securing-my-passwords/#findComment-1403419 Share on other sites More sharing options...
scootstah Posted January 5, 2013 Share Posted January 5, 2013 crypt() uses "rounds" to hash. This means that instead of hashing once and done, like sha1() or md5() do, it will recursively hash N times. It also adds the salt to the end result. But, the big thing is that it supports the Blowfish algorithm, which is very strong and takes a long time to run. If you don't know what you're doing, use a third-party library from someone who does. One of the more reknowned ones is PHPass, but a few others exist as well. Quote Link to comment https://forums.phpfreaks.com/topic/272725-securing-my-passwords/#findComment-1403430 Share on other sites More sharing options...
Love2c0de Posted January 5, 2013 Author Share Posted January 5, 2013 http://crackstation....ng-security.htm the last time i checked that site it was down but it has a very good tutorial on how to hash and sal a password. i use there sample code but it will be better if you read from him first on how he explains that code. public static function create_hash($password) { // format: algorithm:iterations:salt:hash $salt = base64_encode(mcrypt_create_iv(PBKDF2_SALT_BYTES, MCRYPT_DEV_URANDOM)); return PBKDF2_HASH_ALGORITHM . ":" . PBKDF2_ITERATIONS . ":" . $salt . ":" . base64_encode(self::pbkdf2( PBKDF2_HASH_ALGORITHM, $password, $salt, PBKDF2_ITERATIONS, PBKDF2_HASH_BYTES, true )); } private static function pbkdf2($algorithm, $password, $salt, $count, $key_length, $raw_output = false) { $algorithm = strtolower($algorithm); if (!in_array($algorithm, hash_algos(), true)) die('PBKDF2 ERROR: Invalid hash algorithm.'); if ($count <= 0 || $key_length <= 0) die('PBKDF2 ERROR: Invalid parameters.'); $hash_length = strlen(hash($algorithm, "", true)); $block_count = ceil($key_length / $hash_length); $output = ""; for ($i = 1; $i <= $block_count; $i++) { // $i encoded as 4 bytes, big endian. $last = $salt . pack("N", $i); // first iteration $last = $xorsum = hash_hmac($algorithm, $last, $password, true); // perform the other $count - 1 iterations for ($j = 1; $j < $count; $j++) { $xorsum ^= ( $last = hash_hmac($algorithm, $last, $password, true)); } $output .= $xorsum; } if ($raw_output) return substr($output, 0, $key_length); else return bin2hex(substr($output, 0, $key_length)); } public static function validate_password($password, $good_hash) { $params = explode(":", $good_hash); if (count($params) < HASH_SECTIONS) return false; $pbkdf2 = base64_decode($params[HASH_PBKDF2_INDEX]); return self::slow_equals( $pbkdf2, self::pbkdf2( $params[HASH_ALGORITHM_INDEX], $password, $params[HASH_SALT_INDEX], (int) $params[HASH_ITERATION_INDEX], strlen($pbkdf2), true ) ); } private static function slow_equals($a, $B) { $diff = strlen($a) ^ strlen($B); for ($i = 0; $i < strlen($a) && $i < strlen($B); $i++) { $diff |= ord($a[$i]) ^ ord($b[$i]); } return $diff === 0; } Hello 50r That code is just far too complicated for me to understand right now, I'm very new to PHP. It seems like it isn't just a simple task then if you want to do it properly? Regards, L2c. Quote Link to comment https://forums.phpfreaks.com/topic/272725-securing-my-passwords/#findComment-1403444 Share on other sites More sharing options...
Love2c0de Posted January 5, 2013 Author Share Posted January 5, 2013 crypt() uses "rounds" to hash. This means that instead of hashing once and done, like sha1() or md5() do, it will recursively hash N times. It also adds the salt to the end result. But, the big thing is that it supports the Blowfish algorithm, which is very strong and takes a long time to run. If you don't know what you're doing, use a third-party library from someone who does. One of the more reknowned ones is PHPass, but a few others exist as well. Is this not something I can just do with PHP native functions? Obviously I'll read up about how to do a basic hash and then improve upon that. Does it become too complicated with just the native PHP functions then? Regards, L2c. Quote Link to comment https://forums.phpfreaks.com/topic/272725-securing-my-passwords/#findComment-1403445 Share on other sites More sharing options...
Jessica Posted January 5, 2013 Share Posted January 5, 2013 No, it's not something you just do, and no it's not simple. Using a library like the one mentioned will make it much easier. Do it right from the beginning. Quote Link to comment https://forums.phpfreaks.com/topic/272725-securing-my-passwords/#findComment-1403448 Share on other sites More sharing options...
KevinM1 Posted January 5, 2013 Share Posted January 5, 2013 The easiest thing would probably be to use phpass. So, first, read this: http://www.openwall.com/articles/PHP-Users-Passwords and this: http://sunnyis.me/blog/secure-passwords/ Then, download it from: http://www.openwall.com/phpass/phpass-0.3.tar.gz Quote Link to comment https://forums.phpfreaks.com/topic/272725-securing-my-passwords/#findComment-1403450 Share on other sites More sharing options...
Love2c0de Posted January 5, 2013 Author Share Posted January 5, 2013 How do I start using it? Do I need to put the files in the 'c' folder somewhere? Regards, L2c. Quote Link to comment https://forums.phpfreaks.com/topic/272725-securing-my-passwords/#findComment-1403451 Share on other sites More sharing options...
Love2c0de Posted January 5, 2013 Author Share Posted January 5, 2013 Ok, I've done what it's said and required the file in my script. I notice when I opened up the PasswordHash.php that is it written in PDO. Does this mean i'll have to use PDO to call the functions etc or can I do it in a prodedural way? Regards, L2c. Quote Link to comment https://forums.phpfreaks.com/topic/272725-securing-my-passwords/#findComment-1403452 Share on other sites More sharing options...
KevinM1 Posted January 5, 2013 Share Posted January 5, 2013 Just read the first two links I gave you. They explain how to use it. That's why I said to read them first. Quote Link to comment https://forums.phpfreaks.com/topic/272725-securing-my-passwords/#findComment-1403453 Share on other sites More sharing options...
Love2c0de Posted January 5, 2013 Author Share Posted January 5, 2013 Awesome I got it working. I'll carry on reading those links. Very interesting. Kind regards, L2c. Quote Link to comment https://forums.phpfreaks.com/topic/272725-securing-my-passwords/#findComment-1403456 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.