Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 6 of 6
  1. #1
    New Coder
    Join Date
    Oct 2003
    Location
    AZ
    Posts
    69
    Thanks
    0
    Thanked 0 Times in 0 Posts

    how to protect passwords

    I used md5 to hash (encrypted) my passwords in my database; but if someone gets access to my database they can run the hashed(encrypted) passwords against the script to hack in. To prevent this I do a custom scramble of the md5() hash.

    Lets use the example of a user signing up on my site; in which I store his user name and password in my database.

    Lets say he signed up with the password "mypassword"

    I send "mypassword" through a scrample function:

    <?php
    function encrypt($e_pssd)
    {
    $input_md5 = md5($e_pssd); // creates a hash

    $create_encryption = rand(100,199); // produces a random number between 100 and 199
    $create_encryption .= $input_md5; // adds hashed password to the variable
    $create_encryption .= rand(100,199); // produces a random number between 100 and 199
    $encrypted_pssd = $create_encryption;

    return $encrypted_pssd;
    }

    // encrypted("mypassword") will return:
    // 10534819d7beeabb9260a5c854bc85b3e44157

    ?>

    md5() always returns a 32-character hexadecimal number - so no matter how long the str the hash will be 32 charactors long. what this does is add three random numbers between 100 and 199 on the end of the md5 encrypted password. md5() takes any str and

    so who ever gets in my database to retrieve the passwords will get (depending on your scramble) a md5() hash with characters thrown in it. This will make it impossible to figure out what string of charaters he has to use.

    To unscramble passwords you pull out for a login I made another function "cleaning" out the md5() hash.

    <?php
    function decrypt($d_pssd)
    {
    $clean_decrypt = substr($d_pssd, 3, 32); // returns the string with the hash with out the first and last three numbers. revealing the actual hash.
    $decrypted = $clean_decrypt;

    return $decrypted;
    }

    $unscrambled = decrypt('10534819d7beeabb9260a5c854bc85b3e44157');
    ?>

    $unscrambled will return with the first three characters and last three characters left out. giving the clean (unscrambled) md5() hash.

    you can make things even more complicated by spliting up the md5() hash in several parts and inputing random numbers and then unscramble by spliting the scrambled md5() hash and removing those random numbers.

    I hope I made this clear enough.

    Any comments welcome.
    Last edited by coffeedemon; 10-27-2003 at 06:01 PM.
    PHP | FreeBSD | MySQL |
    Check documentation... check documentation again and actually read it..do it... doesn't work ask.

  • #2
    raf
    raf is offline
    Master Coder
    Join Date
    Jul 2002
    Posts
    6,589
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Sorry, but i don't understand it. Why crypt a hashfunction ?
    I also don't understand
    but if someone gets access to my database they can run the hashed(encrypted) passwords against the script to hack in.
    Run the hashed values against the script ?

    If that is true, then there is simply something wrong whith your loginprocedure. You normaly just hash the pwd and compare that output with the output of the initial hashing you stored in the db.

    And there is no real reason to do some further encryprion using a random seed. It also dosn't offer much extra security since encrypt is reversable + i think that even i would be smart enough to see the patter and to just remove the 6 digits.

    The only extra security there could be is that you can keep it concealed that you do an extra encoding. But why post it here then ?

    A hacker that can get into your db and files will be smart enough to just read the code and see the setup. The only secure way, is to force the users to use a strong pwd and then store the hashed value.

    It also sea
    ems better to use sha1() or sha2() then md5().
    Apparently VISA explicitely forbids the use of md5() if you want to use their services.
    Last edited by raf; 10-27-2003 at 07:19 AM.

  • #3
    Super Moderator
    Join Date
    May 2002
    Location
    Perth Australia
    Posts
    4,040
    Thanks
    10
    Thanked 92 Times in 90 Posts
    Your new hash is no safer against brute forceing than md5() + if someone gets into your DB you are squished anyway as its only a matter of time ... not that it matters at that point ?

    so I am with raf in that I don't quite see the point ?
    resistance is...

    MVC is the current buzz in web application architectures. It comes from event-driven desktop application design and doesn't fit into web application design very well. But luckily nobody really knows what MVC means, so we can call our presentation layer separation mechanism MVC and move on. (Rasmus Lerdorf)

  • #4
    New Coder
    Join Date
    Oct 2003
    Location
    AZ
    Posts
    69
    Thanks
    0
    Thanked 0 Times in 0 Posts
    well obviously this isn't the way i do it. i would do something more complicated.

    if you did get the hash you wouldn't be smart enough to guess which 6 to remove and with 32 to keep.

    "If that is true, then there is simply something wrong whith your loginprocedure. You normaly just hash the pwd and compare that output with the output of the initial hashing you stored in the db."

    If they are able to access your DB then they obviously have access to make their own scripts against it.

    but if you say it's not worth it then i guess it makes since. i was just playing around and it seemed to make sense to me last night and not so much today.
    PHP | FreeBSD | MySQL |
    Check documentation... check documentation again and actually read it..do it... doesn't work ask.

  • #5
    raf
    raf is offline
    Master Coder
    Join Date
    Jul 2002
    Posts
    6,589
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Originally posted by coffeedemon
    well obviously this isn't the way i do it. i would do something more complicated.
    Well, not everyone here is a PHP or encryption wizzard so i would at least warn people that this is just a simple description of a possible approach or something like that. But hey, i'm nagging
    Originally posted by coffeedemon

    if you did get the hash you wouldn't be smart enough to guess which 6 to remove and with 32 to keep.
    Oh yes, i'm smart enough for that. Just print of a list and you'll see the pattern.

    Originally posted by coffeedemon

    If they are able to access your DB then they obviously have access to make their own scripts against it.
    Not necessarely true. Unless they also get write acces to the servers webfolders (or if you used a % for the server and or db's when you set up the account), but then you can pack it in altogether.
    Besides, the issue was passwordencryption, and if they get into the db, the only way they can get the original values is brute-forcing.
    So like is said: how secure a pwd is, depends on how 'strong' it is. 'secret' being very weak, 'cd5sd4fc5dsd5' being quite strong.

    Originally posted by coffeedemon

    but if you say it's not worth it then i guess it makes since. i was just playing around and it seemed to make sense to me last night and not so much today.
    I certainly know that feeling

  • #6
    New Coder
    Join Date
    Oct 2003
    Location
    AZ
    Posts
    69
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Thumbs down

    yes pretty much
    PHP | FreeBSD | MySQL |
    Check documentation... check documentation again and actually read it..do it... doesn't work ask.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •