SitePoint Sponsor

User Tag List

Results 1 to 5 of 5
  1. #1
    SitePoint Guru mmarif4u's Avatar
    Join Date
    Dec 2006
    Location
    /dev/swat
    Posts
    619
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    sha1/md5 with salt

    Hi,
    1st of all i would clarify that this is not a help or question related thread. It's just opinion based thread, where every one can suggest/advise his/her own idea.
    There are many ways to hash a password, salt is the most talking about to use with sha1 or md5. I have this sample example, and would let the reader decide which method is the best and if any ideas to improve it are welcomed OR if anyone got new way to secure a password.

    PHP Code:
    $pass 'somestring'// password
    $salt '}#f4ga~g%7hjg4&j(7mk?/!bj30ab-wi=6^7-$^R9F|GK5J#E6WT;IO[JN'// random string

    $hash md5($pass); // md5 hash #1
    $hash_md5 md5($salt.$pass); // md5 hash with salt #2
    $hash_md5_double md5(sha1($salt.$pass)); // md5 hash with salt & sha1 #3
    $hash1 sha1($pass); // sha1 hash #4
    $hash1_sha1 sha1($salt.$pass); // sha1 hash with salt #5
    $hash1_sha1_double sha1(md5($salt.$pass)); // sha1 hash with salt & md5 #6

    // echo now
    echo 'Original Password: '.$pass.'<br><br>';
    echo 
    'Original Salt: '.$salt.'<br><br>';
    echo 
    'MD5: '.$hash.'<br><br>';
    echo 
    'MD5 with Salt: '.$hash_md5.'<br><br>';
    echo 
    'MD5 with Salt & Sha1: '.$hash_md5_double.'<br><br>';
    echo 
    'Sha1: '.$hash1.'<br><br>';
    echo 
    'Sha1 with Salt: '.$hash1_sha1.'<br><br>';
    echo 
    'Sha1 with Salt & MD5: '.$hash1_sha1_double.'<br><br>'
    In above, which one would you choose from #1 to #6.

    Ideas and improvement are welcomed.
    Thanks

  2. #2
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,604
    Mentioned
    24 Post(s)
    Tagged
    1 Thread(s)
    Either 2 or 5 depending on which hashing algorithm you decide to use.

    That way someone with access to the server who can view the hashed passwords for the same person on multiple sites is unable to tell what either password is and whether or not they are the same.

    Not using a salt means that they can tell if the passwords are the same because it is unlikely that the same person would use two different passwords that generate the same hash.

    Using anything more than a salted hash is overkill as the process only serves to hide the password from those with access to the server and just hashing is enough to do that.
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">

  3. #3
    SitePoint Guru mmarif4u's Avatar
    Join Date
    Dec 2006
    Location
    /dev/swat
    Posts
    619
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks Stephen J Chapman.
    I would also go for that either #2 or #5. But will choose #5.

    I have another idea, if lets say the server stops working and not serving PHP pages. So in this case it will show the $salt itself on the page it is.
    So for this, i thought to create another PHP file (salt.php) and include it in the login.php like this:
    salt.php
    PHP Code:
    <?php
    $salt 
    '}#f4ga~g%7hjg4&j(7mk?/!bj30ab-wi=6^7-$^R9F|GK5J#E6WT;IO[JN'// random string
    ?>
    And then in login.php:
    PHP Code:
    <?php
    include('../../salt.php');
    echo 
    sha1($pass.$salt);
    ?>
    salt.php will be some where in the root dir listings, which can be not known to user. So s/he will just see the login.php page and not the salt random string.

    This is just my idea to improve it.

  4. #4
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,604
    Mentioned
    24 Post(s)
    Tagged
    1 Thread(s)
    The way to improve it is to make sure that the database is properly secured so that no one other than yourself and those in the data centre can access the raw content of the database. Apart from those people the hashing of the password serves no purpose since they are the only ones who will be able to see it. Using a salt even if known is enough to prevent those in the data centre using a rainbow table to find a value to use as the password and also to stop their identifying if the same password is used by the same person on different accounts.

    Whatever you do to the password beyond using a salted hash is like adding a draught excluder under your door while all the thieves are looking at how to climb in through the windows.
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">

  5. #5
    . shoooo... silver trophy logic_earth's Avatar
    Join Date
    Oct 2005
    Location
    CA
    Posts
    9,013
    Mentioned
    8 Post(s)
    Tagged
    0 Thread(s)
    I'm more inclinded to do....should randomly generate a new salt for each user.
    PHP Code:

    $data 
    'somerandom password';
    $salt  'someranfom saltstring';

    $hash hash'whirlpool'$data$salt ); 
    Logic without the fatal effects.
    All code snippets are licensed under WTFPL.



Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •