0

I've run this code to generate two encrypted passwords from a plaintext password

echo crypt("TestingTesting123");
echo "<br />";
echo crypt("TestingTesting123");

The two strings are identical but when I run it I get this output

$1$/PGpeshL$UhmiaU/jlaJTWZV8g7Ze4/
$1$MnRnzohZ$zh9VpHPOwYejI.XR76vmC/

Some people have reccomended crypt() as a good password encryptor, but how are you supposed to check the password if this happens

6
Contributors
6
Replies
41
Views
4 Years
Discussion Span
Last Post by annaharris
0

The problem is that Crypt is automatically generating a salt with the password. You therefore need to compare it as follows:

<?php

    $Password = "Password";
    $Hash = crypt($Password);

    if (crypt($Password, $Hash) == $Hash) {

        echo "Password Match";

    }
    else {

        echo "Password Failed";

    }

?>

Check out the documentation to see how you need to use it, http://php.net/manual/en/function.crypt.php

Good luck!

Edited by Octet

0

It maybe over kill but i use salt and SHA1

I use this to create a random 50 character string:

private function randomString($length = 50) // Produces random string of $lenght
    {
        $rdString = "";

        $possible = '12346789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'; // Available characters for string

        $mxlength = strlen($possible);

        if ($length > $mxlength) {
          $length = $mxlength;
        }

        $i = 0; 

        while ($i < $length) { 
          $char = substr($possible, mt_rand(0, $mxlength-1), 1);

          if (!strstr($rdString, $char)) { 
            $rdString .= $char;
            $i++;
          }
        }
        return $rdString;
    }

Then use $rdstring with users password and sha1:

public function BLAHBLAH($password){
    //Generate user salt
    $user_salt = $this->randomString();

    $encPassword = sha1($password . $user_salt);

    return $encPassword;
}
0

I wouldn't say that is overkill, when it comes to security nothing is overkill (with obvious exceptions).

I use both SHA512 and Ripemd320, alongside a 128 character randomly generated salt which is mixed up amongst the original password. Slightly more complicated then that, but obviously with it being to do with passwords I don't want to reveal too much information.

Edited by Octet

0

the problem with crypt function is is incrementing its binary values. use md5() is not, although md5() is having security hole

0

Read the content from php manual

1) Why are common hashing functions such as md5() and sha1() unsuitable for passwords?
Hashing algorithms such as MD5, SHA1 and SHA256 are designed to be very fast and efficient. With modern techniques and computer equipment, it has become trivial to "brute force" the output of these algorithms, in order to determine the original input.

Because of how quickly a modern computer can "reverse" these hashing algorithms, many security professionals strongly suggest against their use for password hashing.

2) How should I hash my passwords, if the common hash functions are not suitable?
When hashing passwords, the two most important considerations are the computational expense, and the salt. The more computationally expensive the hashing algorithm, the longer it will take to brute force its output.

There are two functions that are bundled with PHP that can perform hashing using a specified algorithm.

The first hashing function is crypt(), which natively supports several hashing algorithms. When using this function, you are guaranteed that the algorithm you select is available, as PHP contains native implementations of each supported algorithm, in case one or more are not supported by your system.

The second hashing function is hash(), which supports many more algorithms and variants than crypt(), but does not support some algorithms that crypt() does. The Hash extension is bundled with PHP, but can be disabled during compile-time, so it is not guaranteed to be available, while crypt() is, being in the PHP core.

The suggested algorithm to use when hashing passwords is Blowfish, as it is significantly more computationally expensive than MD5 or SHA1, while still being scalable.

It suggests that MD5() ,SHA1,SHA256 have security holes ,and about hashing functions available with php bundle

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.