944,074 Members | Top Members by Rank

Web Development > PHP > Blowfish Hashing?!?
Ad:
  • PHP Discussion Thread
  • Marked Solved
  • Views: 1087
  • PHP RSS
Permalink
Nov 1st, 2009
0

Blowfish Hashing?!?

Expand Post »
Hi,
On my websites, I encrypt passwords using a combination of hashing algorithm (Which I am obviously not going to post on a forum but its along the lines of md5(substr(whirlpool($Value), 0, 7)); )

What is blowfish, how do I use it and how much more secure is it than a function as shown above?

Regards,
Sam Rudge
Last edited by samarudge; Nov 1st, 2009 at 9:52 pm.
Reputation Points: 26
Solved Threads: 31
Posting Whiz
samarudge is offline Offline
354 posts
since May 2008
Permalink
Nov 1st, 2009
0
Re: Blowfish Hashing?!?
Hey.

I was under the impression that Blowfish was an encryption cipher, not a hashing algorithm?
Encryption usually allows for decryption, while hashing does not, and I believe Blowfish does allow for decryption. (Although, now that I think about it, I am not entirely sure on that point.)

In any case, the answer to the question of "how much more secure is it" won't have a simple and undisputed answer, as this is a very complex topic.

Lets just say that for the foreseeable future, you will be pretty safe with either Blowfish or a couple of iterations of a salted hashing algorithm, given that you aren't still using MD5 or SHA1 :-]
Last edited by Atli; Nov 1st, 2009 at 10:57 pm.
Reputation Points: 93
Solved Threads: 70
Posting Pro
Atli is offline Offline
526 posts
since May 2007
Permalink
Nov 1st, 2009
1
Re: Blowfish Hashing?!?
As Atli says, Blowfish is an encryption cipher, not a hashing algorithm.
It is in the mcrypt library (http://php.net/manual/en/book.mcrypt.php)

There was a whole thread a while back discussing passwords and some good methods. I'll see if I can find it...



EDIT:
Thread is here:
http://www.daniweb.com/forums/showthread.php?t=178241
Last edited by Will Gresham; Nov 1st, 2009 at 11:07 pm.
Reputation Points: 96
Solved Threads: 124
Master Poster
Will Gresham is offline Offline
728 posts
since May 2008
Permalink
Nov 2nd, 2009
0
Re: Blowfish Hashing?!?
OK thanx, I think I will stick with my current method of lots of salts (In the actual function I use about 5 different algorithms)
Reputation Points: 26
Solved Threads: 31
Posting Whiz
samarudge is offline Offline
354 posts
since May 2008
Permalink
Nov 2nd, 2009
0
Re: Blowfish Hashing?!?
Click to Expand / Collapse  Quote originally posted by samarudge ...
Hi,
On my websites, I encrypt passwords using a combination of hashing algorithm (Which I am obviously not going to post on a forum but its along the lines of md5(substr(whirlpool($Value), 0, 7)); )

What is blowfish, how do I use it and how much more secure is it than a function as shown above?

Regards,
Sam Rudge
Why not just save the whole hash generated by whirlpool? Using md5 effectively reduces the size of the hash, making it easier to guess (find collisions).

Taking a substr() of 7 characters makes it very insecure. You've effectively made the password a 7 character string composed of 0-9 and a-f. (hexadecimal).

This makes guessing the password less then 16^7 possibilities, which is very insecure. A single machine would guess it in less then an hour. A rainbow table, a few seconds.

I've updated the linked thread with a few tips:
http://www.daniweb.com/forums/thread178241.html

You can actually use blowfish, enough though it is a cypher. Part of its algorithm is used in BCrypt (http://www.usenix.org/events/usenix9...tml/node1.html) which is the password hashing function in OpenBSD.

The reason is that blowfish uses 4Kb of RAM when processing keys. Thus you can make it process a large number of keys, in order to make sure your algorithm uses a large amount of ram.

Say you want to use 1MB for each hashing function. You could generate 1000/4 keys, and feed them into blowfish then rehash. Note this isn't to encrypt the password, you just want to take up 1MB of RAM, so that anyone trying a brute force attack on the hashes requires 1MB for each hash which is unfeasible for them.

You however, can afford 1MB since logins are not a bottleneck on web applications. Things like disk and network IO usually are.
Moderator
Reputation Points: 457
Solved Threads: 101
Nearly a Posting Virtuoso
digital-ether is offline Offline
1,250 posts
since Sep 2005

This thread is solved

Either the thread starter or a moderator has marked this thread as solved. You can most likely trust the responses and answers given. There is most likely no reason for any further responses to be posted here. If you have a related question, please start a new thread in this forum instead.

This thread is more than three months old

No one has posted to this discussion for at least three months. Please let old threads die and do not reply to them unless you feel you have something new and valuable to contribute that absolutely must be added to make the discussion complete. Otherwise, please start a new thread in this forum instead.
Message:
Previous Thread in PHP Forum Timeline: Error: Commands out of sync; you can't run this command now
Next Thread in PHP Forum Timeline: Search string is too exact help





About Us | Contact Us | Advertise | Acceptable Use Policy
Forum Index | Build Custom RSS Feed


Follow us on Twitter


© 2011 DaniWeb® LLC