Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 8 of 8
  1. #1
    Regular Coder
    Join Date
    Feb 2005
    Posts
    663
    Thanks
    5
    Thanked 14 Times in 14 Posts

    understanding encryption

    I'm working with a login script, and unsure why after I create user, and then attempt to login, I'm always told I have an incorrect user.

    If I encrypt the password as follows:

    $password = sha1(md5(md5(sha1(md5(sha1(sha1(md5($_POST[password]))))))));

    Shouldn't I be able to use the same in my login function to match and verify the password?

    It seems it works when I used just md5, but when I try to add on to it for addition encryption it fails. Is there anything special to be aware of when using sha1?

    I'm guessing its my script, but wanted to ask for I pull out the little hair I have left these days.

  • #2
    Senior Coder
    Join Date
    Apr 2007
    Location
    Quakertown PA USA
    Posts
    1,028
    Thanks
    1
    Thanked 125 Times in 123 Posts
    how big is the database field you are storing the hashed password in? sha1 requires 40 chars.

    And, you'd be better off salting the password.

  • #3
    bdl
    bdl is offline
    Regular Coder
    Join Date
    Apr 2007
    Location
    Camarillo, CA US
    Posts
    590
    Thanks
    4
    Thanked 83 Times in 82 Posts
    That's not 'encryption', that's a one-way hash.

    Producing multiple hashes actually does the opposite of what you expect - it increases the eventual possibility of collisions. Besides the fact that it looks messy as hell, no offense.

    Use a unique salt as PappaJohn mentioned.

  • #4
    Super Moderator Inigoesdr's Avatar
    Join Date
    Mar 2007
    Location
    Florida, USA
    Posts
    3,647
    Thanks
    2
    Thanked 406 Times in 398 Posts
    Quote Originally Posted by ptmuldoon View Post
    $password = sha1(md5(md5(sha1(md5(sha1(sha1(md5($_POST[password]))))))));

    ...

    It seems it works when I used just md5, but when I try to add on to it for addition encryption it fails. Is there anything special to be aware of when using sha1?
    Well, first of all you need to understand that md5() and sha1() are NOT encryption functions. They are functions that hash the data that is passed to them. Which means using them several times isn't going to make it any more secure. It's also a good idea to "salt" them with another value that is unique to your site(Google for examples). As far as your actual problem, we can't really help you without the code you're using for comparison when the user logs in. Also, you should try to use sha1() (or sha256 with the hash() function in PHP 5) because MD5 uses a weak hash algorithm.

    Edit: Mirrored some info above

  • #5
    Regular Coder
    Join Date
    Feb 2005
    Posts
    663
    Thanks
    5
    Thanked 14 Times in 14 Posts
    Thanks for the help and tips guys.

    The initial problem was the db field was set to 32chrs, when it needs to be 40 to use sha1. But now that I've learned a little about salting a password. I'll be adding a custom phrase to it as well to help keep it secure.

    Would it be also be good practice to....

    1. Sha1 your $Salt phrase
    2. md5 a password
    3. Combined steps 1 and 2
    4. Sha1 step 3?

  • #6
    bdl
    bdl is offline
    Regular Coder
    Join Date
    Apr 2007
    Location
    Camarillo, CA US
    Posts
    590
    Thanks
    4
    Thanked 83 Times in 82 Posts
    Not necessarily. Something like this should suffice

    PHP Code:
    $salt'purplemonkeydishwasher666';
    $hashsha1$salt 'YourPassWordString' ); 
    Of course, the salt has to either be consistent across all users in the database, either that or each user has to have the hash salt stored along with the password. There are pros and cons to each method. Just make sure you keep the salt stored away safely (such as in a separate database table).

  • #7
    Regular Coder
    Join Date
    Feb 2005
    Posts
    663
    Thanks
    5
    Thanked 14 Times in 14 Posts
    So as maybe a best practice approach, it would be wise to:

    PHP Code:
    $salt'purplemonkeydishwasher666';
    $hashSalt sha1$salt ); 
    And store $hashSalt in a separate table, so the pass phrase is not known.

    Then
    PHP Code:
    $pass'userpassword';
    $hashPasssha1$pass );

    $dbUserPasssha1$saltHash $saltPass ); 
    Or not even bother with a second sha1 of the combined passwords? I'm just thinking its best to not even have your Salt PassPhrase shown in any code or stored in the database unless its already hashed.

  • #8
    Senior Coder
    Join Date
    Jan 2007
    Posts
    1,648
    Thanks
    1
    Thanked 58 Times in 54 Posts
    You could increase the power of the salt by storing a random string for each user. Then when you encrypt (this does require an additional query):

    PHP Code:
    $randomString getRandomStringFromDb($userId);
    $encryptedPassword sha1($password $randomString "MyPassPhrase"); 
    Now each hash will be unique per user, even if they use the same password (this would prevent someone from stealing additional accounts in case they manage to find out 1 password).


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •