Training

"Winners make choices,
losers make excuses."
Decide to be a Winner!!!!

±Arrows Getting Started

± Phase 1
Planning

± Website Tools

± Phase 3
Conceptual Design

± Helpful Information

± Phase 4
Physical Design

± Phase 5
Testing

± Phase 6
Implement and Market Website

± Other Web Development Items

± Multimedia

± Useful Utilities

± Programming

± Advanced Programming

± Microsoft Office Products

± Computer Maintenance

± Other

Web Design

NOTE: This is a collection of information and links collected over the years that might provide useful information. A Safer Company LLC does not guarantee, endorse or approve any of these links or their scripts. Use these links to other websites at your own risk.

PHP - Password Hashing

Password hashing is a way of encrypting a password before it is stored so someone cannot see the password.

A fixed length hash for any string can easily be generated with PHP.

<?php
   $ip_hash = sha1($password);
   ?>

It is difficult to recover the original string from a hash.

Password hasing can be used to authenticate a user. The hash of the password the user enters in to the form can be compared to the value of the stored password.

Hashing Algorithms

  • Most Common Algorithms
    • MD5 - md5() - returns a 128-bit hash (32 hexadecimal characters)
    • Secure Hashing Algorithm 1 (or SHA-1) possible weak but adequate security for most applications - returns a 160-bit hash (40 hexadecimal characters)
  • stronger algorithms - SHA-256 and SHA-512 are recommended
  • Data Encryption Standard (DES) hashes should be avoided because they only use 56 bits and are not strong enough.
<?php    /* Check user details */
$passwordHash = sha1($_POST['password']);
$sql = 'SELECT username FROM user WHERE username = ? AND passwordHash = ?';  
$result = $db->query($sql, array($_POST['username'], $passwordHash));
if ($result->numRows() < 1)  
{
	/* Access denied */      
	echo 'Sorry, your username or password was incorrect!';  
}
else
{
	/* Log user in */      
	printf('Welcome back %s!', $_POST['username']);
}
?>

 

<?php
	$string = "mypassword"; 
  	printf("Original: %s<br />", $string); 
  	printf("MD5 hash: %s<br />", md5($string)); 
  	printf("SHA-1 hash: %s<br />", sha1($string));
  ?>

The code above shows:

Original: mypassword
MD5 hash: 34819d7beeabb9260a5c854bc85b3e44
SHA-1 hash: 91dfd9ddb4198affc5c194cd8ce6d338fde470e2
<?php
	/* Store user details */
 	$sql = 'INSERT INTO user (username, passwordHash) VALUES (?, SHA1(?))';  
	$result = $db->query($sql, array($_POST['username'], $_POST['password']));    
?>

Strong Passwords

  • Do not use words that are in a dictionary
  • Longer passwords are better
  • Add special characters and digits

Adding Security to Passwords

Create a random string of characters of a predetermined length and prepend this string to the plain text password. Store the "salt" and the password hash. The password hash will be different each time generated if the string called a "salt" is long enough and random.

To validate the user, use the salt from the database and add the user supplied password and put it into the hashing algorithm, then compare the result with the hash stored in that user's profile.

<?php
	define('SALT_LENGTH', 9);
	echo generateHash($string);
	function generateHash($plainText, $salt = null)  
    {      
    	if ($salt === null)      
        {          
        	$salt = substr(md5(uniqid(rand(), true)), 0, SALT_LENGTH);
        }
        else
        {
        	$salt = substr($salt, 0, SALT_LENGTH);
        }
        return $salt . sha1($salt . $plainText);
    }
?>

The code above shows:

3747021384b43dab216f526fee3239d0bc6fe073b53a47d70

Note: The function above is limited in that the maximum salt length is 32 characters. You may wish to write your own salt generator to overcome this limit and increase the entropy of the string.

top of page

Page last updated: June 08, 2012 15:16 PM

It is all about:
Content and Navigation...

Web Site by: A Safer Company LLC