Page 1 of 1
[PHP] Is this a good security?
Posted: Mon Apr 29, 2013 1:24 pm
by vitinho444
Hello guys, in my free time i'm doing a browser based game, a simple thing.
So for the password encryption (or hashing) i created a function that i think it's good in case hackers get your database records, they won't be able to see any passwords.
Here it is:
Code: Select all
function Encrypt($string)
{
$eText = md5(md5(md5($string)));
$eText = substr($eText, 0, 20);
$eText = md5($eText);
return $eText;
}
So what this does is triple hash a $string, then cut the 32 length hash to a 20 length and hash that again.
I don't know if it's a good way to hide out passwords, but i guess those "rainbow databases" don't have this in their records.. so yeah
Re: [PHP] Is this a good security?
Posted: Mon Apr 29, 2013 1:33 pm
by Chris
That substr isn't a good idea and could possibly create multiple passwords working for one user account.
What you could do is use a prefix, that's unique and will most likely not cause your passwords matching any md5-hash record databases.
Code: Select all
function Encrypt($string)
{
return md5(md5(md5(md5( 'my_unique_prefix' . $string))));
}
What you could also do is not store the password, but store the password+username or email combitination:
Code: Select all
$userCredentialsHash = md5( 'prefix_' . $username . $password );
Re: [PHP] Is this a good security?
Posted: Mon Apr 29, 2013 2:46 pm
by dbest
Taken straight from the OWASP site:
https://www.owasp.org/index.php/Passwor ... heat_Sheet
Use a cryptographically strong credential-specific salt
A salt is fixed-length cryptographically-strong random value. Append credential data to the salt and use this as input to a protective function. Store the protected form appended to the salt as follows:
[protected form] = [salt] + protect([protection func], [salt] + [credential]);
Follow these practices to properly implement credential-specific salts:
Generate a unique salt upon creation of each stored credential (not just per user or system wide);
Use cryptographically-strong random [*3] data;
As storage permits, use a 32bit or 64b salt (actual size dependent on protection function);
Scheme security does not depend on hiding, splitting, or otherwise obscuring the salt.
Re: [PHP] Is this a good security?
Posted: Mon Apr 29, 2013 5:20 pm
by vitinho444
dbest wrote:Taken straight from the OWASP site:
https://www.owasp.org/index.php/Passwor ... heat_Sheet
Use a cryptographically strong credential-specific salt
A salt is fixed-length cryptographically-strong random value. Append credential data to the salt and use this as input to a protective function. Store the protected form appended to the salt as follows:
[protected form] = [salt] + protect([protection func], [salt] + [credential]);
Follow these practices to properly implement credential-specific salts:
Generate a unique salt upon creation of each stored credential (not just per user or system wide);
Use cryptographically-strong random [*3] data;
As storage permits, use a 32bit or 64b salt (actual size dependent on protection function);
Scheme security does not depend on hiding, splitting, or otherwise obscuring the salt.
I know about the salt. But i think chris' way is easier and faster to use. I know my db won't get hacked, even if it was going to be, i think nobody will crack a prefix + md5 hash...
I think i will use the method:
Code: Select all
$userCredentialsHash = md5( 'prefix_' . $username . $password );
by jacko, since each user gets his own security, what about hashing the username and password before hashing all together? SUPER PROTECTION!!!!! XDDD
Re: [PHP] Is this a good security?
Posted: Mon Apr 29, 2013 8:14 pm
by vitinho444
I did this system:
Code: Select all
function Encrypt($string)
{
$eText = md5(md5(md5(md5("oryzhonStudios_" . $string . "999"))));
return $eText;
}
And it works cool at register.
But the login hash is not the same as the register.. wtf? Is the same encrypt function and the same string...
Re: [PHP] Is this a good security?
Posted: Tue Apr 30, 2013 1:13 am
by Jackolantern
vitinho444 wrote:I know about the salt. But i think jacko's way is easier and faster to use.
Hehe, I think you mean Chris.
If you are using PHP 5.3 or higher (and you probably are), I believe you have the very powerful SHA-512 algorithm available. I have not used it, but from my Googling for a library, it appears that
openssl_digest() can take "sha512" as its second parameter and what you want hashed as the first parameter. SHA-512 is considered on of the toughest hashing algorithms right now.
If there is something wrong with this, I know that there are downloadable SHA-512 scripts you can use to generate the hash.
Re: [PHP] Is this a good security?
Posted: Tue Apr 30, 2013 1:20 pm
by vitinho444
Jesus christ, i look at the name and i always think in jacko
Im so sorry Chris 
Jackolantern wrote:vitinho444 wrote:I know about the salt. But i think jacko's way is easier and faster to use.
Hehe, I think you mean Chris.
If you are using PHP 5.3 or higher (and you probably are), I believe you have the very powerful SHA-512 algorithm available. I have not used it, but from my Googling for a library, it appears that
openssl_digest() can take "sha512" as its second parameter and what you want hashed as the first parameter. SHA-512 is considered on of the toughest hashing algorithms right now.
If there is something wrong with this, I know that there are downloadable SHA-512 scripts you can use to generate the hash.
Well why php doesn't have a sha512() function yet? Lazy bastards
jk, i might use that one yes, i don't see the point of hard encryption when i think nobody will ever hack my game since there's no point.. but the fun ofc.. xD
Thanks
Re: [PHP] Is this a good security?
Posted: Tue Apr 30, 2013 11:17 pm
by Jackolantern
Well, if you are hashing, and you don't have to go way far out of your way to choose a hashing algorithm that supposedly has not been broken yet versus one that most definitely has (like MD5), I say go for the better one!
That, and it is a good learning experience. One day it is likely that SHA-512 will be the bar, with algorithms much more powerful above it that people trade scripts to use, and MD5 simply being a footnote in history. May as well get familiar with the algorithm that will take your game further into the future
Re: [PHP] Is this a good security?
Posted: Wed May 01, 2013 9:16 am
by vitinho444
Ok, so i check that website you gave me openssl_digest() ?
Re: [PHP] Is this a good security?
Posted: Wed May 01, 2013 11:46 am
by Jackolantern
That is my understanding. I have not used it myself before, but it should be there provided you have an up-to-date PHP installation