Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 5 of 5
  1. #1
    Senior Coder durangod's Avatar
    Join Date
    Nov 2010
    Location
    East Texas USA
    Posts
    2,187
    Thanks
    368
    Thanked 58 Times in 56 Posts

    Handy and simple password and salt creator

    There was no sense in creating another function for alphanum value just for the salt when the password function did the same thing, so we just used it as part of salt. Feedback is welcome

    remember this just gives you the raw values, you still need to hash the password like so


    PHP Code:
    $password password_hash($valuePASSWORD_BCRYPT); 


    PHP Code:

    function newPassword() {
        
        
    $pass rand(10001000000);
        
            
    //removed number 0, capital o, number 1 and small L

            
    $options = array('A','B','C','D','E','F','G','H','J','K','L','M',
    'N','P','Q','R','S','T','U','V','W','X','Y','Z',
    'a','b','c','d','e','f','g','h','i','j','k','m',
    'n','p','q','r','s','t','u','v','w','x','y','z',
    '1','2','3','4','5','6','7','8','9','$','^','(',')','[',']');

            
    $grabit array_rand(array_flip($options),6);

            
    $freshpass $grabit[1].$grabit[3].$grabit[5].$grabit[2].$grabit[0].$grabit[4].$pass;

        return 
    $freshpass;
        
    }
    //close function newPassword


    function makeSalt()
    {
        
      
    // seed with microseconds
      
    list($usec$sec) = explode(' 'microtime());
      
    $presalt $sec $usec 1000000;
      
    $alphanum newPassword();  //does the same as a new function would do
      
    $pepper $presalt.$alphanum;
      
      
    $saltmixed str_shuffle($pepper);
      
    $salt substr($saltmixed,0,16);
     
      return 
    $salt;
        
    }
    //close function makeSalt 
    Last edited by durangod; Jun 13th, 2019 at 03:37 AM. Reason: added truncate substr to 16 chars for salt
    If a php file only has php code within it you do not need to use the closing php tag
    A good way to remember objects from arrays is you shoot objects with arrows Example: $name->id; then Arrays are $name['id'];
    durangod is short for durango dave

  2. #2
    Senior Coder deathshadow's Avatar
    Join Date
    Feb 2016
    Location
    Keene, NH
    Posts
    3,513
    Thanks
    4
    Thanked 506 Times in 494 Posts
    How is a random salt going to be useful in the hash? When you go to verify you won't have that number to check it against. Much less if you're going to make random passwords, why not just use base64 and random_bytes?

    $randomPass = base64_encode(random_bytes(16));

    Boom, easy string that is -- theoretically -- cryptographically secure. Makes for great "random" passwords. If you want even more "secure" -- at least in theory -- openssl_random_pseudo_bytes might be an even better choice.

    Woah, did I just actually advise using the 1960's technological parody that is base64 encoding?
    “There are two ways of constructing a software design: One way is to make it so simple that there are obviously no deficiencies and the other way is to make it so complicated that there are no obvious deficiencies.” – C.A.R. Hoare, The 1980 ACM Turing Award Lecture
    http://www.cutcodedown.com

  3. #3
    Senior Coder durangod's Avatar
    Join Date
    Nov 2010
    Location
    East Texas USA
    Posts
    2,187
    Thanks
    368
    Thanked 58 Times in 56 Posts
    Quote Originally Posted by deathshadow View Post
    How is a random salt going to be useful in the hash? When you go to verify you won't have that number to check it against. Much less if you're going to make random passwords, why not just use base64 and random_bytes?

    $randomPass = base64_encode(random_bytes(16));

    Boom, easy string that is -- theoretically -- cryptographically secure. Makes for great "random" passwords. If you want even more "secure" -- at least in theory -- openssl_random_pseudo_bytes might be an even better choice.

    Woah, did I just actually advise using the 1960's technological parody that is base64 encoding?
    LOL yes you did, i about fell off my chair!!

    I should have probably included the whole picture, i guess i just assumed that people would know to put the salt with the password before hashing. Also the salt is readily available via a CONSTANT in the config file and its value accessed any time its needed.

    So in the config file which is created at install there is a value for example

    PHP Code:
    define('PWSALT''salt value is here written during install'); 
    Then when someone logs in and types thier password we take their $_POST input for PW and add PWSALT to it.
    cleanInput is the sanitizer we us.


    PHP Code:
    $userpw cleanInput($_POST['user_pw']);
    $pw $userpw.PWSALT;
    $pwhash password_hash($pwPASSWORD_BCRYPT); 

    //then we just check the value against the DB table value during login. 

    As far as using base64, i have always used that to obviscate url data such as user id number and the like with base64_encode on sending end and base64_decode on the receiving end to process the request. The only reason i have never used it for PW is because i was always told it was not secure for PW. If that is not correct then i will gladly stand corrected but thats why i never used it for that purpose. I was told that the only viable secure option was a hash that could not be unhashed and you just compare the value as is (hashed)and never unhash it to compare it, base64 can be decoded and its not a hash its a obviscation tool to me.

    I hope that explains why.

    PS i just reread your reply, ok yeah you mean just for salt creation do the base64, that would work and it would save some code lines... thanks
    Last edited by durangod; Jun 13th, 2019 at 04:20 PM.
    If a php file only has php code within it you do not need to use the closing php tag
    A good way to remember objects from arrays is you shoot objects with arrows Example: $name->id; then Arrays are $name['id'];
    durangod is short for durango dave

  4. #4
    Senior Coder deathshadow's Avatar
    Join Date
    Feb 2016
    Location
    Keene, NH
    Posts
    3,513
    Thanks
    4
    Thanked 506 Times in 494 Posts
    Quote Originally Posted by durangod View Post
    Also the salt is readily available via a CONSTANT in the config file and its value accessed any time its needed.
    Defeating the purpose of a salt, though that's generally the problem with salts and why they're more placebo than security. Hence why I never understood why so much time, effort, and code went into their generation and/or use. If you need to have it where you can recover it for application during password_verify, you've likely completely defeated why one should even bother salting in the first place.

    But then I've dealt far more with code elevations being the cause of a breach, and not theft of data. Most of the time you have the former before the later, which is why salts basically do little to nothing if you've got your DB access 'correct' in the first place. MAYBE back when people were still derping user created values into their query strings it ALMOST made sense, but with SQL injections mostly a thing of the past, the odds of leaking the database without the salt in the code ALSO being leaked is next to nil.

    Quote Originally Posted by durangod View Post
    As far as using base64, i have always used that to obviscate url data such as user id number and the like with base64_encode on sending end and base64_decode on the receiving end to process the request.
    I'm only using base64 to convert the random bytes to the 64 letter character space of said 6 bit character encoding. It's a sneaky trick to replicate what you were doing with your array. Remember, base64 isn't some magical modern 64 bit format (no matter how many people seem to be under that delusion), it's an outdated 6 bit character encoding that was invented to deal with old mainframes not being able to handle 8 bit data. 6 bits == 64 possible values. LITERALLY "base 64".

    If you generate a bunch of random bytes, converting them to base64 just gives you a bunch of random characters including a..z, A..Z, 0..9, + and /.

    Though I should have used 18 random bytes for 24 characters of output.

    Code:
    $randomPass = base64_encode(random_bytes(18));
    Is really no different than doing:

    Code:
    $characters = [
    	'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H',
    	'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P',
    	'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X',
    	'Y', 'Z', 'a', 'b', 'c', 'd', 'e', 'f',
    	'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n',
    	'o', 'p', 'q', 'r', 's', 't', 'u', 'v',
    	'w', 'x', 'y', 'z', '0', '1', '2', '3',
    	'4', '5', '6', '7', '8', '9', '+', '/'
    ];
    
    $randomPass = '';
    
    for ($i = 0; $i < 24; $i++) $randomPass += characters[rand(0, 63)];
    As all the bits are random, regardless of how you slice 'em into characters.
    Last edited by deathshadow; Jun 13th, 2019 at 04:56 PM.
    “There are two ways of constructing a software design: One way is to make it so simple that there are obviously no deficiencies and the other way is to make it so complicated that there are no obvious deficiencies.” – C.A.R. Hoare, The 1980 ACM Turing Award Lecture
    http://www.cutcodedown.com

  5. Users who have thanked deathshadow for this post:

    durangod (Jun 13th, 2019)

  6. #5
    Senior Coder durangod's Avatar
    Join Date
    Nov 2010
    Location
    East Texas USA
    Posts
    2,187
    Thanks
    368
    Thanked 58 Times in 56 Posts
    Thanks for the education, it certainly makes things easier for troubleshooting and overall management not having to worry about salt and saves code as well. I am converted

    //removed number 0, capital o, number 1 and small L

    I did that as i felt some of our older users would confuse them, but that is not a problem using them, it was just a thought anyway.

    Thanks...
    If a php file only has php code within it you do not need to use the closing php tag
    A good way to remember objects from arrays is you shoot objects with arrows Example: $name->id; then Arrays are $name['id'];
    durangod is short for durango dave


 

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •