...

View Full Version : how to protect your passwords



coffeedemon
10-27-2003, 05:48 AM
I used md5 to hash (encrypted) my passwords in my database; but if someone gets access to my database they can run the hashed(encrypted) passwords against the script to hack in. To prevent this I do a custom scramble of the md5() hash.

Lets use the example of a user signing up on my site; in which I store his user name and password in my database.

Lets say he signed up with the password "mypassword"

I send "mypassword" through a scrample function:

<?php
function encrypt($e_pssd)
{
$input_md5 = md5($e_pssd); // creates a hash

$create_encryption = rand(100,199); // produces a random number between 100 and 199
$create_encryption .= $input_md5; // adds hashed password to the variable
$create_encryption .= rand(100,199); // produces a random number between 100 and 199
$encrypted_pssd = $create_encryption;

return $encrypted_pssd;
}

// encrypted("mypassword") will return:
// 10534819d7beeabb9260a5c854bc85b3e44157

?>

md5() always returns a 32-character hexadecimal number - so no matter how long the str the hash will be 32 charactors long. what this does is add three random numbers between 100 and 199 on the end of the md5 encrypted password. md5() takes any str and

so who ever gets in my database to retrieve the passwords will get (depending on your scramble) a md5() hash with characters thrown in it. This will make it impossible to figure out what string of charaters he has to use.

To unscramble passwords you pull out for a login I made another function "cleaning" out the md5() hash.

<?php
function decrypt($d_pssd)
{
$clean_decrypt = substr($d_pssd, 3, 32); // returns the string with the hash with out the first and last three numbers. revealing the actual hash.
$decrypted = $clean_decrypt;

return $decrypted;
}

$unscrambled = decrypt('10534819d7beeabb9260a5c854bc85b3e44157');
?>

$unscrambled will return with the first three characters and last three characters left out. giving the clean (unscrambled) md5() hash.

you can make things even more complicated by spliting up the md5() hash in several parts and inputing random numbers and then unscramble by spliting the scrambled md5() hash and removing those random numbers.

I hope I made this clear enough.

Any comments welcome.

raf
10-27-2003, 06:55 AM
Sorry, but i don't understand it. Why crypt a hashfunction ?
I also don't understand

but if someone gets access to my database they can run the hashed(encrypted) passwords against the script to hack in.
:confused: Run the hashed values against the script ?

If that is true, then there is simply something wrong whith your loginprocedure. You normaly just hash the pwd and compare that output with the output of the initial hashing you stored in the db.

And there is no real reason to do some further encryprion using a random seed. It also dosn't offer much extra security since encrypt is reversable + i think that even i would be smart enough to see the patter and to just remove the 6 digits.

The only extra security there could be is that you can keep it concealed that you do an extra encoding. But why post it here then ?

A hacker that can get into your db and files will be smart enough to just read the code and see the setup. The only secure way, is to force the users to use a strong pwd and then store the hashed value.

It also sea
ems better to use sha1() or sha2() then md5().
Apparently VISA explicitely forbids the use of md5() if you want to use their services.

firepages
10-27-2003, 04:04 PM
Your new hash is no safer against brute forceing than md5() + if someone gets into your DB you are squished anyway as its only a matter of time ... not that it matters at that point ?

so I am with raf in that I don't quite see the point ?

coffeedemon
10-27-2003, 04:15 PM
well obviously this isn't the way i do it. i would do something more complicated.

if you did get the hash you wouldn't be smart enough to guess which 6 to remove and with 32 to keep.

"If that is true, then there is simply something wrong whith your loginprocedure. You normaly just hash the pwd and compare that output with the output of the initial hashing you stored in the db."

If they are able to access your DB then they obviously have access to make their own scripts against it.

but if you say it's not worth it then i guess it makes since. i was just playing around and it seemed to make sense to me last night and not so much today.

raf
10-27-2003, 05:31 PM
Originally posted by coffeedemon
well obviously this isn't the way i do it. i would do something more complicated.
:confused: Well, not everyone here is a PHP or encryption wizzard so i would at least warn people that this is just a simple description of a possible approach or something like that. But hey, i'm nagging

Originally posted by coffeedemon

if you did get the hash you wouldn't be smart enough to guess which 6 to remove and with 32 to keep.
Oh yes, i'm smart enough for that. Just print of a list and you'll see the pattern.


Originally posted by coffeedemon

If they are able to access your DB then they obviously have access to make their own scripts against it.
Not necessarely true. Unless they also get write acces to the servers webfolders (or if you used a % for the server and or db's when you set up the account), but then you can pack it in altogether.
Besides, the issue was passwordencryption, and if they get into the db, the only way they can get the original values is brute-forcing.
So like is said: how secure a pwd is, depends on how 'strong' it is. 'secret' being very weak, 'cd5sd4fc5dsd5' being quite strong.


Originally posted by coffeedemon

but if you say it's not worth it then i guess it makes since. i was just playing around and it seemed to make sense to me last night and not so much today.
I certainly know that feeling :)

coffeedemon
10-27-2003, 06:00 PM
yes pretty much:p



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum