Is this a good way to hash passwords?

devinmaking · 01-29-2013, 03:35 PM

Hi guys how are things

Ive recently been thinking of ways to make my passwords a little less hackable.

Ive been thinking of using bcrypt or scrypt but in my way of thinking its not how good the hash encryption algorithm is but how you set your passwords out.

I maybe wrong here as i have only been in this industry for 18 months.

But i was thinking of having a salt password and pepper in sha256 which i know is not the best but still has a 256bit encryption which will slow the hacker down a few seconds lol..

Then i was thinking of cutting the password into 20 and scrambling it.

Like so

PHP Code:


			
$salt     = hash('sha256', '&^RVNH.dsf(&');
$pepper = hash('sha256' , rand(1,9999) . rand('a','z') . rand(1.999));
$passraw = $salt . hash('sha256', $password) . $pepper . '9s8fj2ms';
$p1 = substr($passraw,0,10);
$p2 = substr($passraw,10,10);
$p3 = substr($passraw,20,10);
$p4 = substr($passraw,30,10);
$p5 = substr($passraw,40,10);
$p6 = substr($passraw,50,10);
$p7 = substr($passraw,60,10);
$p8 = substr($passraw,70,10);
$p9 = substr($passraw,80,10);
$p10 = substr($passraw,90,10);
$p11 = substr($passraw,100,10);
$p12 = substr($passraw,110,10);
$p13 = substr($passraw,120,10);
$p14 = substr($passraw,130,10);
$p15 = substr($passraw,140,10);
$p16 = substr($passraw,150,10);
$p17 = substr($passraw,160,10);
$p18 = substr($passraw,170,10);
$p19 = substr($passraw,180,10);
$p20 = substr($passraw,190,10);
    
$passencrypt = $p2 . $p5 . $p19 . $p11 . $p1 . $p15 . $p7 . $p18 . $p3 . $p20 . $p17 . $p16 . $p4 . $p10 . $p8 . $p12 . $p14 . $p9 . $p13 . $p6;

Can someone tell me if this is worth it or am i just playing with stuff that wont make any difference?

Thanks

**EDIT**

For got to mention because the pepper is random, this is stored in a different table within the database to retrieve it when login is in effect.

TFlan · 01-29-2013, 03:49 PM

It doesn't really matter if it's in a separate table within the same database, if a hacker has access to one table, s/he has access to all tables.

Doing what you are doing will stump the amateur hacker, but a pattern is a pattern, regardless of how you slice and dice it.

I won't say "this is worth it", but I also won't say this isn't worth it - Passwords are inherently and forever insecure

Fou-Lu · 01-29-2013, 03:52 PM

IMO this is more work than you need. Sha256 would be 2^256 chance for collision, which is, well very high. I'm not a cryptographic expert by any far stretch of the imagination, but best I know sha256 has not been compromised as of yet. I wouldn't go to any effort to chop the strings up.
The ordering isn't desirable though. You have a salt and pepper that are added after the hash, which means that all passwords start and end with the same sequence. Instead, use hash('sha256', $salt . $password . $pepper); where salt and pepper could be anything, even a single byte that add uniqueness to the password. So two users with the passwords 'apassword' don't end up with the same password within storage.
Cutting the string up isn't all that helpful overall. If software is compromised as well, than the pattern is a standard sequence in order to reassemble it. Since you cannot randomize it, you would either need to do pattern reassembly for it based on offset sequence, or you would need to calculate reassignment based on values. The latter is pretty much what the hashing algorithms are doing anyways.
BTW, if you want to split that up, create an array instead using str_split instead.

devinmaking · 01-29-2013, 03:54 PM

Quote:

Originally Posted by TFlan

It doesn't really matter if it's in a separate table within the same database, if a hacker has access to one table, s/he has access to all tables.

Doing what you are doing will stump the amateur hacker, but a pattern is a pattern, regardless of how you slice and dice it.

I won't say "this is worth it", but I also won't say this isn't worth it - Passwords are inherently and forever insecure

so how do the big boys do this, For instance you never hear Google or high end banks getting hacked.

So how would they do this.

I know scrypt is meant to be the best but just because its the best now doesnt mean it will be in 12 months.

For instance everyone thought sha was the best then hackers cracked it.

devinmaking · 01-29-2013, 03:57 PM

Quote:

Originally Posted by Fou-Lu

IMO this is more work than you need. Sha256 would be 2^256 chance for collision, which is, well very high. I'm not a cryptographic expert by any far stretch of the imagination, but best I know sha256 has not been compromised as of yet. I wouldn't go to any effort to chop the strings up.
The ordering isn't desirable though. You have a salt and pepper that are added after the hash, which means that all passwords start and end with the same sequence. Instead, use hash('sha256', $salt . $password . $pepper); where salt and pepper could be anything, even a single byte that add uniqueness to the password. So two users with the passwords 'apassword' don't end up with the same password within storage.
Cutting the string up isn't all that helpful overall. If software is compromised as well, than the pattern is a standard sequence in order to reassemble it. Since you cannot randomize it, you would either need to do pattern reassembly for it based on offset sequence, or you would need to calculate reassignment based on values. The latter is pretty much what the hashing algorithms are doing anyways.
BTW, if you want to split that up, create an array instead using str_split instead.

Thanks for the advice

TFlan · 01-29-2013, 04:01 PM

Secure passwords are not the end-all-be-all. You also need a secure database.

People/Businesses that get hacked are hacked because of other security weaknesses. Such as SQL injection, XSS, CSRF, session hijacking, whatever.

These weaknesses give hackers the open doorway into your database where they can download your users table and then run the cracking script on your hashes.

To secure your passwords, secure your database. Plug those holes. You're approaching the problem as if someone already has access to your database

tangoforce · 01-29-2013, 08:03 PM

Quote:

Originally Posted by devinmaking

so how do the big boys do this, For instance you never hear Google or high end banks getting hacked.

They spend mega-bucks on having full time staff monitoring their systems, having the best in the field working for them, employing slightly more staff than they actually need across multiple sites and generally having more human brain power than the one or three man hacking team.