hash() algorithm info script

RobertK · 01-08-2008, 10:54 PM

Lets face it. MD4 and MD5 are old and compromised. SHA1 even has a few risks associated with it now. The hash() function, with its many algorithms, is a godsend ... but which do you choose? Which do you have? How many characters will the hash take in your database?

Now you know!

This script is a simplistic little thing, sorta, that rates the algorithms present upon your server, extracts any known information (hardcoded into the script unfortunately), and tells you how many characters the HEX code will take for the hash. It even has a handy-dandy (approximate) strength indicator.

HOWEVER! No strong hash will ever secure a terrible password. ' ' hashed will always fall quickly to a brute force assault. So, while the difference in hashes can make good difference in preventing collision attacks, the password length and strength is just as, if not more, important.

Changelog

1.0 release 2

Speed calculation is done upon a dummy 1MB file.

1.0 release 3

Slight speed increase in regex checking
Footer now states total generation time and hash count
Minor tweaks I have since forgotten...

Notes
I wrote this because I was tired of constantly looking things up, doing the math, and figuring it all out every time I want to pick a hash algorithm.

I wouldn't suggest you read this script to learn from me. This time around it's a disorganized mess. It was complex enough to get working without losing track of my variables. That said, it isn't too bad and it (better yet) works.

Oh yeah, and the columns sort themselves when you click on the column header.

To install
Just unzip and upload; navigate to whatever directory you put it in, and load the script.

Obligatory Preview

Credits
Me, of course, for the brunt of the typing and research behind the algorithms.
WildHoney and Salathe, for helping my HORRID command of regex.

Stuart Langridge, for the javascript table sorter.

License
Err... didn't know it needed one. This'n is simple. Maybe BSD? PM for commercial use permission, please.

Wildhoney · 01-09-2008, 03:28 AM

That performs quite well actually. I notice my PHP code there at the top for the preg_match

Maybe have a speed test there as well for the generation?

RobertK · 01-09-2008, 03:46 AM

Quote:

Originally Posted by Wildhoney

Maybe have a speed test there as well for the generation?

A speedtest there, how? The speed test is limited to the precise area around the hash() call, and encompasses the raw speed of the throughput. For instance, on my local host system I get an average of 120GB/Sec throughput for the high security functions.

I'm not quite sure what you are asking.

Quote:

Originally Posted by Wildhoney

I notice my PHP code there at the top for the preg_match

Yup, as said in the credits in the post, thanks for helping my horrible control of regex out. ;)

Right now I'm working on an OOP version for installer scripts. That way the hashes, salts, and even session hashes can all be different from site to site--and be picked for their speed on the client system. So far this is fun, sorting based on an object's property, foreach iterating through a class, and much more that really helps out.

Wildhoney · 01-09-2008, 04:10 AM

Oh, I didn't realise there was a speed test already incorporated into the script. My bad. The OOP version sounds intriguing.

RobertK · 01-09-2008, 03:00 PM

(release 3)
New tweaks, footer, and a slight regex change suggested by Salathe. Redownloading isn't important, unless you really want it.

Quote:

Originally Posted by Wildhoney

Oh, I didn't realise there was a speed test already incorporated into the script.

Wildhoney, that's because I edited it shortly after you downloaded, and I didn't realize that editing didn't cause a topic "bump". I got used to SMF doing that. I also noticed editing the topic title doesn't show past this page, for whatever reason.

The class(es) unit for the OOP version is only 260 lines, but it has built in fitness checking. Fitness checking being a comparison of strength, speed, and the stability (standard deviation) of that speed over three tests. The built in sorting is really cool, if I say so myself, because I lept on a random tangent and wound up being right after all. Always a good feeling! It's going to take some work before it's really ready--documentation, cleanup, and license application--but it's amazing how much you can learn from something simplistic like this.

I already have my next class/module lined up for development past this.