View Full Version : understanding encryption

05-16-2008, 01:24 AM
I'm working with a login script, and unsure why after I create user, and then attempt to login, I'm always told I have an incorrect user.

If I encrypt the password as follows:

$password = sha1(md5(md5(sha1(md5(sha1(sha1(md5($_POST[password]))))))));

Shouldn't I be able to use the same in my login function to match and verify the password?

It seems it works when I used just md5, but when I try to add on to it for addition encryption it fails. Is there anything special to be aware of when using sha1?

I'm guessing its my script, but wanted to ask for I pull out the little hair I have left these days.

05-16-2008, 01:45 AM
how big is the database field you are storing the hashed password in? sha1 requires 40 chars.

And, you'd be better off salting the password.

05-16-2008, 01:50 AM
That's not 'encryption', that's a one-way hash.

Producing multiple hashes actually does the opposite of what you expect - it increases the eventual possibility of collisions. Besides the fact that it looks messy as hell, no offense.

Use a unique salt as PappaJohn mentioned.

05-16-2008, 01:55 AM
$password = sha1(md5(md5(sha1(md5(sha1(sha1(md5($_POST[password]))))))));


It seems it works when I used just md5, but when I try to add on to it for addition encryption it fails. Is there anything special to be aware of when using sha1?
Well, first of all you need to understand that md5() (http://php.net/md5) and sha1() (http://php.net/sha1) are NOT encryption functions. They are functions that hash the data that is passed to them. Which means using them several times isn't going to make it any more secure. It's also a good idea to "salt" them with another value that is unique to your site(Google for examples). As far as your actual problem, we can't really help you without the code you're using for comparison when the user logs in. Also, you should try to use sha1() (http://php.net/sha1) (or sha256 with the hash() (http://php.net/function.hash) function in PHP 5) because MD5 uses a weak hash algorithm.

Edit: Mirrored some info above

05-16-2008, 04:05 AM
Thanks for the help and tips guys.

The initial problem was the db field was set to 32chrs, when it needs to be 40 to use sha1. But now that I've learned a little about salting a password. I'll be adding a custom phrase to it as well to help keep it secure.

Would it be also be good practice to....

1. Sha1 your $Salt phrase
2. md5 a password
3. Combined steps 1 and 2
4. Sha1 step 3?

05-16-2008, 04:39 AM
Not necessarily. Something like this should suffice

$salt= 'purplemonkeydishwasher666';
$hash= sha1( $salt . 'YourPassWordString' );

Of course, the salt has to either be consistent across all users in the database, either that or each user has to have the hash salt stored along with the password. There are pros and cons to each method. Just make sure you keep the salt stored away safely (such as in a separate database table).

05-16-2008, 04:48 PM
So as maybe a best practice approach, it would be wise to:

$salt= 'purplemonkeydishwasher666';
$hashSalt = sha1( $salt );

And store $hashSalt in a separate table, so the pass phrase is not known.


$pass= 'userpassword';
$hashPass= sha1( $pass );

$dbUserPass= sha1( $saltHash . $saltPass );

Or not even bother with a second sha1 of the combined passwords? I'm just thinking its best to not even have your Salt PassPhrase shown in any code or stored in the database unless its already hashed.

05-16-2008, 05:22 PM
You could increase the power of the salt by storing a random string for each user. Then when you encrypt (this does require an additional query):

$randomString = getRandomStringFromDb($userId);
$encryptedPassword = sha1($password . $randomString . "MyPassPhrase");

Now each hash will be unique per user, even if they use the same password (this would prevent someone from stealing additional accounts in case they manage to find out 1 password).