Hi,
On my websites, I encrypt passwords using a combination of hashing algorithm (Which I am obviously not going to post on a forum but its along the lines of md5(substr(whirlpool($Value), 0, 7)); )

What is blowfish, how do I use it and how much more secure is it than a function as shown above?

Regards,
Sam Rudge

Hey.

I was under the impression that Blowfish was an encryption cipher, not a hashing algorithm?
Encryption usually allows for decryption, while hashing does not, and I believe Blowfish does allow for decryption. (Although, now that I think about it, I am not entirely sure on that point.)

In any case, the answer to the question of "how much more secure is it" won't have a simple and undisputed answer, as this is a very complex topic.

Lets just say that for the foreseeable future, you will be pretty safe with either Blowfish or a couple of iterations of a salted hashing algorithm, given that you aren't still using MD5 or SHA1 :-]

As Atli says, Blowfish is an encryption cipher, not a hashing algorithm.
It is in the mcrypt library (http://php.net/manual/en/book.mcrypt.php)

There was a whole thread a while back discussing passwords and some good methods. I'll see if I can find it...



EDIT:
Thread is here:
http://www.daniweb.com/forums/thread178241.html

OK thanx, I think I will stick with my current method of lots of salts (In the actual function I use about 5 different algorithms)

Why not just save the whole hash generated by whirlpool? Using md5 effectively reduces the size of the hash, making it easier to guess (find collisions).

Taking a substr() of 7 characters makes it very insecure. You've effectively made the password a 7 character string composed of 0-9 and a-f. (hexadecimal).

This makes guessing the password less then 16^7 possibilities, which is very insecure. A single machine would guess it in less then an hour. A rainbow table, a few seconds.

I've updated the linked thread with a few tips:
http://www.daniweb.com/forums/thread178241.html

You can actually use blowfish, enough though it is a cypher. Part of its algorithm is used in BCrypt (http://www.usenix.org/events/usenix9...tml/node1.html) which is the password hashing function in OpenBSD.

The reason is that blowfish uses 4Kb of RAM when processing keys. Thus you can make it process a large number of keys, in order to make sure your algorithm uses a large amount of ram.

Say you want to use 1MB for each hashing function. You could generate 1000/4 keys, and feed them into blowfish then rehash. Note this isn't to encrypt the password, you just want to take up 1MB of RAM, so that anyone trying a brute force attack on the hashes requires 1MB for each hash which is unfeasible for them.

You however, can afford 1MB since logins are not a bottleneck on web applications. Things like disk and network IO usually are.