KubeR Posted July 20, 2014 Share Posted July 20, 2014 Hi, Recently I've been trying writing a safe password hash and I wanted to know that if I use an MD5 hash at the end, just so it will be like some short of "packed",so instead of saving a 128 string, I'll use md5 to "pack" it into 32 characters and save up to 96 characters. I know MD5 isn't safe and all, but the question is, does it lower the security ? Also, would be happy for feedbacks about my password hash function hash_($input,$key) { $op=hash("whirlpool",hash("sha512",$key) . "$" . $input . "$" . hash("sha512",$key)); $h1=hash("sha512",$key);$h2=hash("sha512",$key); for($x=0;$x<24;$x++){$op=hash("whirlpool",$h1 . "$" . $op . "$" . $h2);} return $op;} Is it secured enough for saving high number of users or it can be improved somehow ? This might sound like I am a newbie, but I prefer sound like one instead of going the wrong way. - KubeR. Quote Link to comment Share on other sites More sharing options...
Jacques1 Posted July 20, 2014 Share Posted July 20, 2014 Don't invent your own crypto algorithms. Contrary to popular belief, it's not as easy as randomly throwing together a bunch of hash algorithms. It requires expert knowledge, careful design, extensive peer review and real-life testing for at least a decade. You don't fulfil a single one of those requirements. This doesn't even make sense: So $key is a secret key, I guess? Do you not realize that this allows an attacker to break all hashes in parallel once they've obtained the key? Why do you keep calculating the SHA-512 hash of $key? Do you not realize that the result is always the same? The entire algorithm requires just one SHA-512 calculation and 26 WHIRLPOOL calculations. Do you not realize that even a stock PC can do this millions of times per second? There may be tons of other weaknesses, but none of us is a cryptographer, so none of us is qualified to talk about it. My advice is: Forget about home-made algorithms and use a professional solution. The current de-facto standard for password hashing is bcrypt. It was designed by people who actually know what they're doing and has been around for 15 years. In addition to that, it's well-integrated into PHP. If you have PHP 5.5, you can make use of the new Password Hashing API. If you don't have version 5.5 but at least 5.3.7, you can use the password_compat library from the same author. I understand that it's temping to play around with cryptography and try to come up with something new. But cryptography is hard science. Trying to come up with a new password hash algorithm with no qualificiation whatsoever is like trying to perform a brain surgery with a rusty screwdriver. Quote Link to comment Share on other sites More sharing options...
KubeR Posted July 20, 2014 Author Share Posted July 20, 2014 (edited) I didn't intend to reverse it, nor build a crypto with a decrypt, but a hash so as you said "the result wil always be the same", the $key is a salt, I just named it like that for no reason .... I will look more into bcrypt, thank you. Edited July 20, 2014 by KubeR Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.