I have tried to research this and im always running into old articles.

What I have come across are (possibly more):
md5, sha1, hash, crypt and mcrypt

Now I have used md5/sha1 before and have 32/40 character long strings the others I dont know too much about but in short, what is the best encryption method? (I may have not even listed it)

Thanks, Regards X

Comments
Good thread!
Brilliant :)

I just love this question. In my opinion, it is best to use more than one hash so that it is harder to crack. And so that those online database chrackers can't store your hash, include the whirlpool hash. So below is a function I have made for a much better hash:

function truehash($hashzzz) {
return hash('crc32b',hash('whirlpool',$hashzzz));
}

The function above will be really hard to crack as it uses oppisite types of output. One of the advantages with the function above is that crc32b is short (less data recorded) and whirlpool is long (containing more data). And since a whirlpool hash is 128 characters long, I doubt anybody will have a giant database of the whirlpool conversions. Of course you could use all of the hashes in the function but may make take a bit of cpu.
Any other comments?

Comments
Informative and useful :)
Thanks for the useful information.

I havent researched the hash method in depth but what I have understood is that:

hash('$hash_string', $variable);

$hash_string = "abc" or whateva string you wish to use as hash method
$variable = variable wanting to hash (aka password)

So in your example you have doubled hashed your password, once using a long string and then against a short string? correct?

Due to the mix of the long and short encryption you believe this is the best method of encryptions?

The above correct? Thanks

Due to the mix of the long and short encryption you believe this is the best method of encryptions?

The above correct? Thanks

Yes that is correct.

I forgot to ask, how many characters is the string produced?

Also am I correct in that I can use any string I wish to hash a password?

Thanks

The returned hash of my truehash function is 8 characters long and yes any string or number can be hashed through this function.

I think I didnt ask my second question correctly.

The terms 'crc32b' and 'whirlpool' are just random variables selected or actual hash functions? could I have used 'apple123' and 'banana123' instead?

I think I didnt ask my second question correctly.

The terms 'crc32b' and 'whirlpool' are just random variables selected or actual hash functions? could I have used 'apple123' and 'banana123' instead?

Well the terms 'crc32b' and 'whirlpool' are what tells the computer which type of hash to use, so no you can't change those unless you want to use a different type of hash. It is the second field contains the string to hash.

I just love this question. In my opinion, it is best to use more than one hash so that it is harder to crack. And so that those online database chrackers can't store your hash, include the whirlpool hash. So below is a function I have made for a much better hash:

function truehash($hashzzz) {
return hash('crc32b',hash('whirlpool',$hashzzz));
}

The function above will be really hard to crack as it uses oppisite types of output. One of the advantages with the function above is that crc32b is short (less data recorded) and whirlpool is long (containing more data). And since a whirlpool hash is 128 characters long, I doubt anybody will have a giant database of the whirlpool conversions. Of course you could use all of the hashes in the function but may make take a bit of cpu.
Any other comments?

Thats a very nice function. I wish I could give you more rep today :)

nav33n my man! How you been!?!?!

Can we download the md5 anti hash method, so we can test our own web applciations?

Also how I assume to use the hash method is correct?

Thanks, REgards X

I am good OmniX! How are you ?

I don't think there is any decrypting script/function which you can download. They have mentioned how there can be a collision between 2 different strings giving out the same hash ! I tried to read some more about the same, but, everything is going right over my head :(
http://www.mscs.dal.ca/~selinger/md5collision/
http://www.unixwiz.net/techtips/iguide-crypto-hashes.html

Thank you for creating this thread.. I can spend the rest of the evening reading these links ;)

Comments
Very interesting links

I have had no internet for months!

I have alot of catching up to do so join me :p

Ill do some more research and wait for a few more additional comments and come up with something.

But am I assuming how the hash method works, is correct?
(use any string to encrypt a variable to produce a unique 8 character string?)

I don't think there is any decrypting script/function which you can download. They have mentioned how there can be a collision between 2 different strings giving out the same hash ! I tried to read some more about the same, but, everything is going right over my head :(

Although there may be no dehasher on the market that doesn't stop you from making one. But it does require about 2 petabytes of hardrive space (2048TB or 2097152GB). I have created a dehasher that simply records every key combination and its hash into a mysql database then when dehashing, just simply do a reverse lookup by searching for the recorded hash and original word when the entry was generated. Just let me know if you would like the script.

But am I assuming how the hash method works, is correct?
(use any string to encrypt a variable to produce a unique 8 character string?)

Yep. Thats correct. In this case, the algorithm convert it to 8 character string.

Although there may be no dehasher on the market that doesn't stop you from making one. But it does require about 2 petabytes of hardrive space (2048TB or 2097152GB). I have created a dehasher that simply records every key combination and its hash into a mysql database then when dehashing, just simply do a reverse lookup by searching for the recorded hash and original word when the entry was generated. Just let me know if you would like the script.

Woah ! Something like a keylogger ? Is it in php or java/vb.net ?

Woah ! Something like a keylogger ? Is it in php or java/vb.net ?

It is php and to dehash sha1 you can simply use the following scripts (page titles are on second line of each code box):

<?
//db.php
//configure below mysql variables
$dbhost='localhost';
$accountname='root';
$password='';
$database='my database';
?>

Above box will configure the database. The database needs a table with the name 'dehasher' and two columns each named 'word' and 'hash'. Also the above must be named db.php
Below is the search page (index.php)

<?
//index.php
if (isset($_GET['hash']))
	{
	set_time_limit(0);
	ini_set('memory_limit','512M');
	ini_set('mysql.cache_size','1073741824');
	include('db.php');
	mysql_connect($dbhost,$accountname,$password)
	or die("Could not connect to MySQL server");
	mysql_select_db($database) or die(mysql_error()."Could not select database");
	$rowid=0;
	$sqlresult=mysql_query("SELECT * FROM `dehasher`");
	while ($row = mysql_fetch_array($sqlresult))
		{
		if ($_GET['hash']==$row['hash'])
			{
			$word=$row['word'];
			$dehashed=1;
			break;
			}
		}
	mysql_free_result($sqlresult);
	unset($row);
	}
echo "Enter in the details below and click the dehash button to dehash the code.<br>
<b>Please note it may take a few minutes to dehash due to the size of the database</b><br>
<table border=1 cellpadding=5 cellspacing=0 bgcolor=#FFCCCC><tr><td>
<form style='padding:0; margin:0;'>
<table border=0 cellpadding=0 cellspacing=0 bgcolor=#FFCCCC><tr><td>
Insert hash below</td><td>Hash type</td></tr><tr><td valign=top>
<input type='text' name='hash' size=50> </td><td align=left><input type='submit' value='dehash'>
</td></tr></table>
</form></td></tr></table>";
if (!isset($dehashed)) { $dehashed=0; }
if ($dehashed==1)
    {
    echo "<p>.<p><font size=3>The hash was decrypted successfully.<br>Below are the details:<br>
    <table border=1 cellpadding=0 cellspacing=0><tr><td>
    <table border=0 cellpadding=4 cellspacing=0><tr>
    <td bgcolor=#EEBBBB><font face='arial'><b>Word</b></font></td><td bgcolor=#FFCCCC>".$word."</td></tr><tr>
    <td bgcolor=#D8CCCC><font face='arial'><b>Hash</b></font></td><td bgcolor=#E9DDDD>".$_GET['hash']."</td></tr></table>
    </td></tr></table>";
    } else if (isset($_GET['hash'])) {
    echo "<b>Your hash could not be decrypted.</b>";
    }
?>

And below is the database generator:

<?
//generator.php
set_time_limit(0);
ini_set('memory_limit','2147483648M');
ini_set('mysql.cache_size','1073741824');
include('db.php');
mysql_connect($dbhost,$accountname,$password)
or die("Could not connect to MySQL server");
mysql_select_db($database) or die(mysql_error()."Could not select database");
$rownum=0;
//echo - text debugger for IE.
echo "<img src=0.gif width=1 height=1 alt='                                                       ".
"                                                                                             '><br>";
$list=" ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890`~!@#$%^&*()-_=+\|[{]};:\"',<.>/?abcdefghijklmnopqrstuvwxyz.,";
$loops=38430716820228233;
$chars=30;
$allwords=array();
$sqlresult=mysql_query("SELECT `word` FROM `dehasher`");
while ($row = mysql_fetch_array($sqlresult))
        {
        $allwords[]=$row['word'];
        }
mysql_free_result($sqlresult);
unset($row);
unset($sqlresult);
while (count($allwords)<$loops)
	{
	$escapecharplus=0;
	$repeat=mt_rand(1,$chars);
	while ($escapecharplus<$repeat)
		{
		$randomword.=$list[mt_rand(1, strlen($list)-1)];
		$escapecharplus+=1;
		}
	if (!in_array($randomword,$allwords))
		{
		$allwords[]=$randomword;
		$rowid+=1;
		mysql_query("INSERT INTO `dehasher` SET `word`='".mysql_real_escape_string($randomword).
                "', `hash`='".mysql_real_escape_string(hash('sha1', $randomword))."'");
		echo mysql_error();
		$rownum+=1;
		echo "<xmp>".$randomword."\n</xmp>";
                flush();
		unset($randomword);
                if (mt_rand(1,32)==2)
                        {
                        mysql_query("DELETE FROM `dehasher` WHERE `word`=''; DELETE FROM `dehasher` WHERE `hash`=''");
                        }
                usleep(50000); // lower cpu
                }
        }
?>

But as you can see, if you used a whirlpool hash it would take 4 times the amount of hardrive space than the average size hash assuming the average size hash is 32 characters. But have fun dehashing if you have plenty of harddrive space.

Hmm.. one question though.. The table will store random strings and their hashes.. I guess it would be more efficient if a dictionary (like the ones used in Brute force) with all the commonly used words are also stored..

So if your double hasing a password as such, why not just make it even harder and make it a triple hasher with 3 unique words like banana, apple and pear? and if not even harder with apricot, peach, grape and just make a like 10 x hash encrypter?

Im just trying to understand the functioning of the hash encrypter before I start on my encrypting!

Thanks, Regards X

You can! But you will just be adding unnecessary overload to your CPU ! I think you can use cwarn23's function. Its neat !

hashing and encryption are two different things.
hashes like MD5, SHA1, Whirlpool etc. are one way. There *should* NOT be a way to reverse them.

Encryption however is two way. you can encrypt a string and when decrypted returns the same string.

For hashes I agree with cwarn in the use of whirlpool, but i would have to argue that salting the string to be hashed prior to running it through whirlpool, would be just as strong as double hashing the string, but would require less cpu work. You could also make it infinitely harder by generating a random salt for every password and then storing the salt along with the hashed string in the database.

If the op is interested in encryption I would suggest taking a look at this post in the php documentation using the mcrypt library. http://us2.php.net/manual/en/function.mcrypt-encrypt.php

There are also a few different mysql methods for dealing with encryption:
aes_encrypt/aes_decrypt
encode/decode
des_decrypt/des_encrypt

I've worked on projects where for example, passwords needed to be hashed to prevent their snooping by people with access to the database, and also where passwords needed to be encrypted so that support staff could view the password if the user had forgotten it, without having to reset it to a random string or a default password.

Salting a password just means inserting a random string in with the password to get a more random hashed?

With the 'whirlpool' string it could just as well as been 'torando' or 'sandstorm' its all customizable depending on the user's preference or are they keyword functions? (as I see whirlpool and crn32 coming up a few times)

The hash function is a function that allows you to utilize numerous kinds of algorithms. if you run print_r(hash_algos()); it will give you an array of the hash algorithms available on your system. Whirlpool is just one type of hash, like MD5, SHA1 and CRN32

A salt is basically adding a random string(s) to whatever you are encrypting or hashing:

<?php

$sSalt = '8*S&AsEc4qUs';
$sHash = hash( 'whirlpool', $sString . $sSalt );

echo $sHash;

so if the user decided to make their password "password" the hashed password would actually be for the value of "password8*S&AsEc4qUs" which would prevent someone from using a hash lookup database as it ensures that the users password has some form of complexity to it. This is assuming that someone was looking at the actual hash stored in the database and not trying to forge logins from a from.

I *believe* phpBB3 uses the random salt for every password option i mentioned in my previous post. It would be something like this:

<?php

function getSalt( $iLength = 10 )
{
	$sPossible = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!@#$%^&*()-+=[]{}|';
	$iPossibleCount = strlen( $sPossible );
	
	$sSalt = '';
	for( $i=0; $i<$iLength; $i++ )
	{
		$sSalt .= $sPossible[mt_rand(0, $iPossibleCount)];
	}
	
	return $sSalt;
}

$sPassword  = 'password';
$sSalt = getSalt();

$sHash = hash('whirlpool', $sPassword . $sSalt );

//Store  $sHash and $sSalt in the database.

Although I imagine when you get into generating random salts, you are going to be just as comparable to double hashing the same string, in terms of cpu usage and at some point you start to cross the line of security by obscurity.

Comments
Good post.
Good info
Thankyou for the Informative Post

Thankyou for the Informative Post that explains in detail the hash algorithm.
I can go run off that check for the list of algorithms and work off that.
Thanks, Regards X

Careful about misleading people. A hash is not encryption. There is no way to decrypt a hash. There is also no such thing as a "dehasher", the only way to "reverse" a hash is to create huge libraries (called rainbow tables) of pre-created hashes and check against them. MD5, SHA1/256/etc are hashes, Vigenere, WEP, etc. are encryption.

I am assuming for security, hashing is better than encryption as it is one way where encryption is two way?

Encryption I know how it works normally, not sure if its the same in the php world.

A 'user A' 'encrypts' a password with a key then sends the key and password seperatly to the 'user B' then the user uses the key to decrypt the password?
This how encryption works in php?

They're two different things that both have different purposes. as I indicated in my first post and as ShawnC again emphasized, encryption and hashing are two different things. You can't compare them on a security level.

I just ran [print_r(hash_algos());]
Now I understand the crc32b, whirlpool,etc but is there like a breakdown table anyone has a link to that lists the character length produced, time to hashed, etc?

Thanks, Regards X

the registered number of algorithms will vary by system, although in my experience most of them are commonly available. As far as execution time, that would vary drastically depending on the type of hardware your site/system is hosted on.

I would suggest running a quick benchmark on the hash_algos() output.

<?php

$aAlgos = hash_algos();
$sStringToHash = 'This is a test string';
$sSaltString = 'This is the salt';

foreach( $aAlgos as $sAlgoName)
{
	echo 'Algorithm: ' . $sAlgoName . '<br />';
	
	$iStart = microtime(true); //Only valid with PHP5
	$sHashed = hash( $sAlgoName, $sStringToHash . $sSaltString );
	$iEnd = microtime(true);
	
	
	echo 'String Length: ' . strlen( $sHashed ) . '<br />';
	echo 'Hash: ' . $sHashed . '<br />';
	echo 'Total Hashing Time: ' . number_format( ($iEnd - $iStart), 8) . ' seconds';
	echo '<hr />';

}

It is crude but should give you a fairly accurate idea of how long its taking your system to run a single hash. I'm not certain if there are other factors that would skew this benchmark or not as I'm not familiar with the internals behind the hash() function.

Comments
Thanks for the info!

The hash function is a function that allows you to utilize numerous kinds of algorithms. if you run print_r(hash_algos()); it will give you an array of the hash algorithms available on your system. Whirlpool is just one type of hash, like MD5, SHA1 and CRN32

A salt is basically adding a random string(s) to whatever you are encrypting or hashing:

<?php

$sSalt = '8*S&AsEc4qUs';
$sHash = hash( 'whirlpool', $sString . $sSalt );

echo $sHash;

so if the user decided to make their password "password" the hashed password would actually be for the value of "password8*S&AsEc4qUs" which would prevent someone from using a hash lookup database as it ensures that the users password has some form of complexity to it. This is assuming that someone was looking at the actual hash stored in the database and not trying to forge logins from a from.

I *believe* phpBB3 uses the random salt for every password option i mentioned in my previous post. It would be something like this:

<?php

function getSalt( $iLength = 10 )
{
	$sPossible = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!@#$%^&*()-+=[]{}|';
	$iPossibleCount = strlen( $sPossible );
	
	$sSalt = '';
	for( $i=0; $i<$iLength; $i++ )
	{
		$sSalt .= $sPossible[mt_rand(0, $iPossibleCount)];
	}
	
	return $sSalt;
}

$sPassword  = 'password';
$sSalt = getSalt();

$sHash = hash('whirlpool', $sPassword . $sSalt );

//Store  $sHash and $sSalt in the database.

Although I imagine when you get into generating random salts, you are going to be just as comparable to double hashing the same string, in terms of cpu usage and at some point you start to cross the line of security by obscurity.

If you really want a salt before or after the hash then one of the following functions might suit you:

function salthash($hashzzz) {
return hash('crc32b',hash('whirlpool','asdf'.$hashzzz.'jklh'));
}

== or if really worried ==
function salthash($hashzzz) {
return hash('crc32b',hash('whirlpool',hash('crc32b',$hashzzz).$hashzzz.'jklh'));
}

== or if really worried and want another idea==
function salthash($hashzzz) {
return hash('crc32b',hash('whirlpool',strlen($hashzzz).'18'.$hashzzz.'jklh'));
}

==or if really worried and want yet another idea==
function salthash($hashzzz) {
$varzzz=4*strlen($hashzzz);
return hash('crc32b',hash('whirlpool','6'.$varzzz.'18'.$hashzzz.'jklh'));
}

And if you think the crackers are really good you could even make your own type of hash with regex. So there are plenty of ideas out there. And the above are just a few easy examples. Tonight I might try and test some of the scripts on this topic to see what is the fastest. Maybe we could have a competition of the most secure and fastest hash mechinism.

This question has already been answered. Start a new discussion instead.