securing my passwords

[Love2c0de]

What is the best function to use when hashing passwords? I've looked on php.net and they tell you on there to stay away from sha1() and md5().

 

I read also about hash() and crypt() and from what I read decided to go with crypt().

 

I don't really understand the hash types of this function though.

 

Can anyone pelase explain a little on this or even the best way to encrypt your passwords?

 

Kind regards,

 

L2c.

[50r]

http://crackstation.net/hashing-security.htm the last time i checked that site it was down but it has a very good tutorial on how to hash and sal a password.

i use there sample code but it will be better if you read from him first on how he explains that code.

   public static function create_hash($password) {
    // format: algorithm:iterations:salt:hash
    $salt = base64_encode(mcrypt_create_iv(PBKDF2_SALT_BYTES, MCRYPT_DEV_URANDOM));
    return PBKDF2_HASH_ALGORITHM . ":" . PBKDF2_ITERATIONS . ":" . $salt . ":" .
		    base64_encode(self::pbkdf2(
						    PBKDF2_HASH_ALGORITHM, $password, $salt, PBKDF2_ITERATIONS, PBKDF2_HASH_BYTES, true
				    ));
   }
   private static function pbkdf2($algorithm, $password, $salt, $count, $key_length, $raw_output = false) {
    $algorithm = strtolower($algorithm);
    if (!in_array($algorithm, hash_algos(), true))
	    die('PBKDF2 ERROR: Invalid hash algorithm.');
    if ($count <= 0 || $key_length <= 0)
	    die('PBKDF2 ERROR: Invalid parameters.');
    $hash_length = strlen(hash($algorithm, "", true));
    $block_count = ceil($key_length / $hash_length);
    $output = "";
    for ($i = 1; $i <= $block_count; $i++) {
	    // $i encoded as 4 bytes, big endian.
	    $last = $salt . pack("N", $i);
	    // first iteration
	    $last = $xorsum = hash_hmac($algorithm, $last, $password, true);
	    // perform the other $count - 1 iterations
	    for ($j = 1; $j < $count; $j++) {
		    $xorsum ^= ( $last = hash_hmac($algorithm, $last, $password, true));
	    }
	    $output .= $xorsum;
    }
    if ($raw_output)
	    return substr($output, 0, $key_length);
    else
	    return bin2hex(substr($output, 0, $key_length));
   }
   public static function validate_password($password, $good_hash) {
    $params = explode(":", $good_hash);
    if (count($params) < HASH_SECTIONS)
	    return false;
    $pbkdf2 = base64_decode($params[HASH_PBKDF2_INDEX]);
    return self::slow_equals(
				    $pbkdf2, self::pbkdf2(
						    $params[HASH_ALGORITHM_INDEX], $password, $params[HASH_SALT_INDEX], (int) $params[HASH_ITERATION_INDEX], strlen($pbkdf2), true
				    )
    );
   }
   private static function slow_equals($a, $B) {
    $diff = strlen($a) ^ strlen($B);
    for ($i = 0; $i < strlen($a) && $i < strlen($B); $i++) {
	    $diff |= ord($a[$i]) ^ ord($b[$i]);
    }
    return $diff === 0;
   }

[scootstah]

crypt() uses "rounds" to hash. This means that instead of hashing once and done, like sha1() or md5() do, it will recursively hash N times. It also adds the salt to the end result.

 

But, the big thing is that it supports the Blowfish algorithm, which is very strong and takes a long time to run.

 

If you don't know what you're doing, use a third-party library from someone who does. One of the more reknowned ones is PHPass, but a few others exist as well.

[Love2c0de]

  On 1/5/2013 at 2:53 PM, 50r said:

http://crackstation....ng-security.htm the last time i checked that site it was down but it has a very good tutorial on how to hash and sal a password.

i use there sample code but it will be better if you read from him first on how he explains that code.

public static function create_hash($password) {
 // format: algorithm:iterations:salt:hash
 $salt = base64_encode(mcrypt_create_iv(PBKDF2_SALT_BYTES, MCRYPT_DEV_URANDOM));
 return PBKDF2_HASH_ALGORITHM . ":" . PBKDF2_ITERATIONS . ":" . $salt . ":" .
		 base64_encode(self::pbkdf2(
						 PBKDF2_HASH_ALGORITHM, $password, $salt, PBKDF2_ITERATIONS, PBKDF2_HASH_BYTES, true
				 ));
}
private static function pbkdf2($algorithm, $password, $salt, $count, $key_length, $raw_output = false) {
 $algorithm = strtolower($algorithm);
 if (!in_array($algorithm, hash_algos(), true))
	 die('PBKDF2 ERROR: Invalid hash algorithm.');
 if ($count <= 0 || $key_length <= 0)
	 die('PBKDF2 ERROR: Invalid parameters.');
 $hash_length = strlen(hash($algorithm, "", true));
 $block_count = ceil($key_length / $hash_length);
 $output = "";
 for ($i = 1; $i <= $block_count; $i++) {
	 // $i encoded as 4 bytes, big endian.
	 $last = $salt . pack("N", $i);
	 // first iteration
	 $last = $xorsum = hash_hmac($algorithm, $last, $password, true);
	 // perform the other $count - 1 iterations
	 for ($j = 1; $j < $count; $j++) {
		 $xorsum ^= ( $last = hash_hmac($algorithm, $last, $password, true));
	 }
	 $output .= $xorsum;
 }
 if ($raw_output)
	 return substr($output, 0, $key_length);
 else
	 return bin2hex(substr($output, 0, $key_length));
}
public static function validate_password($password, $good_hash) {
 $params = explode(":", $good_hash);
 if (count($params) < HASH_SECTIONS)
	 return false;
 $pbkdf2 = base64_decode($params[HASH_PBKDF2_INDEX]);
 return self::slow_equals(
				 $pbkdf2, self::pbkdf2(
						 $params[HASH_ALGORITHM_INDEX], $password, $params[HASH_SALT_INDEX], (int) $params[HASH_ITERATION_INDEX], strlen($pbkdf2), true
				 )
 );
}
private static function slow_equals($a, $B) {
 $diff = strlen($a) ^ strlen($B);
 for ($i = 0; $i < strlen($a) && $i < strlen($B); $i++) {
	 $diff |= ord($a[$i]) ^ ord($b[$i]);
 }
 return $diff === 0;
}

 

Hello 50r

 

That code is just far too complicated for me to understand right now, I'm very new to PHP.

 

It seems like it isn't just a simple task then if you want to do it properly?

 

Regards,

 

L2c.

[Love2c0de]

  On 1/5/2013 at 3:26 PM, scootstah said:

crypt() uses "rounds" to hash. This means that instead of hashing once and done, like sha1() or md5() do, it will recursively hash N times. It also adds the salt to the end result.

 

But, the big thing is that it supports the Blowfish algorithm, which is very strong and takes a long time to run.

 

If you don't know what you're doing, use a third-party library from someone who does. One of the more reknowned ones is PHPass, but a few others exist as well.

 

Is this not something I can just do with PHP native functions? Obviously I'll read up about how to do a basic hash and then improve upon that. Does it become too complicated with just the native PHP functions then?

 

Regards,

 

L2c.

[Jessica]

No, it's not something you just do, and no it's not simple. Using a library like the one mentioned will make it much easier. Do it right from the beginning.

[KevinM1]

The easiest thing would probably be to use phpass. So, first, read this: http://www.openwall.com/articles/PHP-Users-Passwords and this: http://sunnyis.me/blog/secure-passwords/

 

Then, download it from: http://www.openwall.com/phpass/phpass-0.3.tar.gz

[Love2c0de]

How do I start using it? Do I need to put the files in the 'c' folder somewhere?

 

Regards,

 

L2c.

[Love2c0de]

Ok, I've done what it's said and required the file in my script. I notice when I opened up the PasswordHash.php that is it written in PDO. Does this mean i'll have to use PDO to call the functions etc or can I do it in a prodedural way?

 

Regards,

 

L2c.

[KevinM1]

Just read the first two links I gave you. They explain how to use it. That's why I said to read them first.

[Love2c0de]

Awesome I got it working. I'll carry on reading those links. Very interesting.

 

Kind regards,

 

L2c.