TalkPHP - View Single Post

adamdecaf · 10-21-2009, 12:07 AM

I wonder if this will help.

Take one letter or number, you can have 62 possible symbols for that ([a-zA-Z0-9]). Now you take and form a single character hash of that, you've now just simplified that to a base (16/32/64/...). The values can now be [0-9a-f], or 16 characters.

If we take a sample string of "62-symbol possible characters" and try to predict a pattern in that you would agree that it will take a lot more time/effort than a string with "16-symbol possible characters". You're doing the same thing with re-hashing a hash over and over again, now we're talking about (sha-1) 2**52 <> 2**80, but still a considerable decomposition in security.

Your best bet is to create a fairly random string (8-16 characters) and hash that alongside with the password. The position for the salt and hash doesn't make a difference.

PHP Code:


			
// A simple and very trivial random string generator.
// You can/should always seed the random number generator with something.
function rand_string($length = 8) {
   switch(rand(0,2)) {
       case 0:
          return chr(rand(65, 90));
       break;

       case 1:
          return chr(rand(97, 122));
       break;

       case 2:
          return chr(rand(33, 64));
       break;
   }
}

$salt = rand_string(rand(8,16));
$password = $_POST['password'];

$hash = sha1($salt . $password);

That has been tried, tested, and very true for almost all web applications. (More advanced systems use far more complicated methods, which you should not need.)

*EDIT* - Put $salt and $hash in wrong places, fixed.

10-21-2009, 12:07 AM	#10 (permalink)
adamdecaf The Addict Join Date: May 2009 Posts: 287 Thanks: 5	I wonder if this will help. Take one letter or number, you can have 62 possible symbols for that ([a-zA-Z0-9]). Now you take and form a single character hash of that, you've now just simplified that to a base (16/32/64/...). The values can now be [0-9a-f], or 16 characters. If we take a sample string of "62-symbol possible characters" and try to predict a pattern in that you would agree that it will take a lot more time/effort than a string with "16-symbol possible characters". You're doing the same thing with re-hashing a hash over and over again, now we're talking about (sha-1) 252 <> 280, but still a considerable decomposition in security. Your best bet is to create a fairly random string (8-16 characters) and hash that alongside with the password. The position for the salt and hash doesn't make a difference. PHP Code: // A simple and very trivial random string generator. // You can/should always seed the random number generator with something. function rand_string($length = 8) { switch(rand(0,2)) { case 0: return chr(rand(65, 90)); break; case 1: return chr(rand(97, 122)); break; case 2: return chr(rand(33, 64)); break; } } $salt = rand_string(rand(8,16)); $password = $_POST['password']; $hash = sha1($salt . $password); That has been tried, tested, and very true for almost all web applications. (More advanced systems use far more complicated methods, which you should not need.) EDIT - Put $salt and $hash in wrong places, fixed. __________________ My Site