Page 2 of 2 First 12
  • Jump to page:
    #16
  1. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jun 2012
    Posts
    146
    Rep Power
    2
    Originally Posted by E-Oreo
    See post #3 by requinix for an example of using crypt.
    When I use this (from post #3):
    PHP Code:
    crypt('thispassword1111''$1$' substr(uniqid(time(), true), -9)); 
    each time I refresh the page, I get a different result.

    is that how it's supposed to work?

    if so, how then could i expect to compare that result with the next time the user visits...since the results will no doubt be different?

    for example, that code is run for the first time for user A and the output is:
    $1$.5366977$EI4ibOhZElFbcRWKIFWY01
    which is then stored in the db as their hashed password.

    the next time they visit, their password (thispassword1111) is run through the same crypt: crypt('thispassword1111', '$1$' . substr(uniqid(time(), true), -9));
    but this time gives this result:
    $1$.9699771$9ik9/t4GVDAvUbuogo7hX/
    the two results are different, and therefore wouldn't match.
  2. #17
  3. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,910
    Rep Power
    1045
    Originally Posted by we5inelgr
    PHPass uses CRYPT_BLOWFISH first (which I've mentioned I don't have access to in the OP), and MD5 as a fallback (which is apparently bad from what you say). So I'm not understanding how PHPass would benefit me?
    PHPass does not use plain MD5. If CRYPT_BLOWFISH is not available, it uses CRYPT_EXT_DES as a fallback. If that's not available either, it uses a custom algorithm based on repeating MD5 several hundred or thousand times together with a salt.

    That's the best you can get when bcrypt (aka CRYPT_BLOWFLISH) isn't available. In any case, it's much more secure than messing up crypt().



    Originally Posted by we5inelgr
    And, since PHPass is (apparently) pretty well know, doesn't that make it a target for hackers?
    No, no, no! Security doesn't come from everybody making up their own homegrown algorithm and keeping it "secret" (aka security by obscurity). Security comes from established, widely used algorithms, because those have actually been tested and proven to work.

    99.99% of all homemade hash or encryption algorithms are completely broken. That is, when you start inventing your own stuff, you're almost guaranteed to screw up. Compared to that risk, the theoretical benefit of forcing the hacker to find out your algorithm is just laughable. Actually, when somebody has already broken into your system, your "secret" algorithm won't be very secret, anyway.

    So forget this idea. When choosing a security algorithm, you want the one that everybody uses since decades. Because you can be pretty sure it has been tested, reviewed and revised by smart people again and again. It has been proven to be secure. Your own algorithm hasn't been tested at all. It can have -- and most probably has -- severe flaws, which make it completely useless.

    This also applies to using libraries vs. writing your own stuff. PHPass has been written by a renowned expert, and it's widely used since many years. It has gone through many, many tests, reviews and actual attacks. You can be pretty sure that it works. This does not apply to your own code. Actually, by using time() and uniqid() to generate the salt, you've already made a mistake. And applying md5() to the salt doesn't make any sense whatsoever.

    So do you really think you can do better than PHPass?



    Originally Posted by we5inelgr
    So they are saying that the prefered method is to use a one-way hash function, which is exactly what crypt() is.
    I do not speak against crypt(). You seem to have completely misunderstood me. I speak against you (and all of us) using it directly.

    It's not mean for us. We're not supposed to use it. It's meant for libraries like PHPass, which use those low-level functions to create a high-level API for developers like us.

    If you still wanna use it, go ahead and make the 5,000,001st botched security procedure.



    Originally Posted by we5inelgr
    the next time they visit, their password (thispassword1111) is run through the same crypt: crypt('thispassword1111', '$1$' . substr(uniqid(time(), true), -9));
    No, you don't understand the concept. The "salt" (or rather configuration string) is generated exactly once. It contains all the parameters for the hashing procedure, including the algorithm, the salt (which is added to the actual input string) and possibly the number of iterations.

    To verify a password, the same configuration string is passed to the crypt() function, making it use the same parameters as before. If the password is correct, the resulting hash matches the original hash. Otherwise, the hashes are different (with a very high probability).
    Last edited by Jacques1; April 25th, 2013 at 06:56 PM.
  4. #18
  5. No Profile Picture
    Lost in code
    Devshed Supreme Being (6500+ posts)

    Join Date
    Dec 2004
    Posts
    8,296
    Rep Power
    7170
    When you are checking whether the password is valid, you pass the stored crypted string as the second argument to crypt, just like the examples in post 8 and 13. If you're not convinced that this works for some reason, just try it and see that it does.

    When you are generating a hash for a new password (that isn't stored already), you pass a random salt to crypt as part of the second argument. You will and are supposed to get a different result every time you do this, even if the passwords you're hashing are the same.
    PHP FAQ

    Originally Posted by Spad
    Ah USB, the only rectangular connector where you have to make 3 attempts before you get it the right way around
  6. #19
  7. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jun 2012
    Posts
    146
    Rep Power
    2
    Say I go with PHPass.

    Some questions/issues arrise.

    1. If I go with it, I will (should) be essentially at the mercy of the people (person) who currently maintain it, to continue to maintain it with each new (at least major) version of PHP, as well as any new potential sucurity issues and how they may inpact this library.

    If they stop maintaining it, how difficult would it be to move off of it and to something else? I realize there are many variables involved here...but in general, would it be relatively easy to migrate from?

    2. Is it necessary to store the salt in the db along with the user's crypted password?

    3. If it is, how then does one authenticate the user without having that stored salt first? (assuming the user only enters their ID and password on a sign in form)?
  8. #20
  9. Lord of the Dance
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Oct 2003
    Posts
    3,534
    Rep Power
    1906
    1) The alternative is you create something yourself, and I think the answer to this is known from all the previous posts.

    2) correct

    3) there are two phases to this
    When the user create the profile it will go like this:
    * Ask user to enter a password (and username)
    * Create a unique salt value
    * encrypt the password with the salt
    * Store the salt and the encrypted password to the database

    When the user try to log-in with the user it will go like this:
    * ask user to enter his username and pasword
    * read the stored salt from the database for this username
    * encrypt the password from user with the stored salt
    * compared the "new" encrypted password with the encrypted password in the database for a match.
  10. #21
  11. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jun 2012
    Posts
    146
    Rep Power
    2
    Originally Posted by MrFujin
    1) The alternative is you create something yourself, and I think the answer to this is known from all the previous posts.

    2) correct

    3) there are two phases to this
    When the user create the profile it will go like this:
    * Ask user to enter a password (and username)
    * Create a unique salt value
    * encrypt the password with the salt
    * Store the salt and the encrypted password to the database

    When the user try to log-in with the user it will go like this:
    * ask user to enter his username and pasword
    * read the stored salt from the database for this username
    * encrypt the password from user with the stored salt
    * compared the "new" encrypted password with the encrypted password in the database for a match.
    Ah, ok. got it. Thanks!
  12. #22
  13. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jun 2012
    Posts
    146
    Rep Power
    2
    It looks like the password field in the db should be varchar 60.
    What should the hash field be? varchar 60 also??
  14. #23
  15. No Profile Picture
    Lost in code
    Devshed Supreme Being (6500+ posts)

    Join Date
    Dec 2004
    Posts
    8,296
    Rep Power
    7170
    what do you mean by the password field?
    PHP FAQ

    Originally Posted by Spad
    Ah USB, the only rectangular connector where you have to make 3 attempts before you get it the right way around
  16. #24
  17. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jun 2012
    Posts
    146
    Rep Power
    2
    Originally Posted by E-Oreo
    what do you mean by the password field?
    That question was directed at this statement:

    * Store the salt and the encrypted password to the database
    I interpreted that to mean that both the salt and the crypted password where stored separately.

    But in fact, they are one in the same. Right?

    Comments on this post

    • Jacques1 disagrees : I give up. Some people just refuse to learn.
  18. #25
  19. No Profile Picture
    Lost in code
    Devshed Supreme Being (6500+ posts)

    Join Date
    Dec 2004
    Posts
    8,296
    Rep Power
    7170
    yes, they are stored in the same place. The salt is part of the string returned by crypt.
    PHP FAQ

    Originally Posted by Spad
    Ah USB, the only rectangular connector where you have to make 3 attempts before you get it the right way around
  20. #26
  21. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jun 2012
    Posts
    146
    Rep Power
    2
    Got it working. Had to have my host company upgrade PHP version.
Page 2 of 2 First 12
  • Jump to page:

IMN logo majestic logo threadwatch logo seochat tools logo