Jump to content

Safe password hash


KubeR

Recommended Posts

Hi,

 

 

Recently I've been trying writing a safe password hash and I wanted to know that if I use an MD5 hash at the end, just so it will be like some short of "packed",so instead of saving a 128 string, I'll use md5 to "pack" it into 32 characters and save up to 96 characters.

 

I know MD5 isn't safe and all, but the question is, does it lower the security ?

 

Also, would be happy for feedbacks about my password hash

function hash_($input,$key) {    $op=hash("whirlpool",hash("sha512",$key) . "$" . $input . "$" . hash("sha512",$key));    $h1=hash("sha512",$key);$h2=hash("sha512",$key);
     for($x=0;$x<24;$x++){$op=hash("whirlpool",$h1 . "$" . $op . "$" . $h2);}    return $op;}
Is it secured enough for saving high number of users or it can be improved somehow ?
 
 
 
This might sound like I am a newbie, but I prefer sound like one instead of going the wrong way.
 
- KubeR.
Link to comment
Share on other sites

Don't invent your own crypto algorithms. Contrary to popular belief, it's not as easy as randomly throwing together a bunch of hash algorithms. It requires expert knowledge, careful design, extensive peer review and real-life testing for at least a decade. You don't fulfil a single one of those requirements.

 

This doesn't even make sense:

  • So $key is a secret key, I guess? Do you not realize that this allows an attacker to break all hashes in parallel once they've obtained the key?
  • Why do you keep calculating the SHA-512 hash of $key? Do you not realize that the result is always the same?
  • The entire algorithm requires just one SHA-512 calculation and 26 WHIRLPOOL calculations. Do you not realize that even a stock PC can do this millions of times per second?
  • There may be tons of other weaknesses, but none of us is a cryptographer, so none of us is qualified to talk about it.

My advice is: Forget about home-made algorithms and use a professional solution. The current de-facto standard for password hashing is bcrypt. It was designed by people who actually know what they're doing and has been around for 15 years. In addition to that, it's well-integrated into PHP. If you have PHP 5.5, you can make use of the new Password Hashing API. If you don't have version 5.5 but at least 5.3.7, you can use the password_compat library from the same author.

 

I understand that it's temping to play around with cryptography and try to come up with something new. But cryptography is hard science. Trying to come up with a new password hash algorithm with no qualificiation whatsoever is like trying to perform a brain surgery with a rusty screwdriver.

Link to comment
Share on other sites

I didn't intend to reverse it, nor build a crypto with a decrypt, but a hash so as you said "the result wil always be the same", the $key is a salt, I just named it like that for no reason ....

 

I will look more into bcrypt, thank you.

Edited by KubeR
Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.