Notice: Undefined index: testing in /hermes/walnacweb03/walnacweb03af/b1896/as.asaferco/webdesign/Programming/php/php_password_hasing.html on line 127

Notice: Undefined variable: docRoot_secure in /hermes/walnacweb03/walnacweb03af/b1896/as.asaferco/webdesign/Programming/php/php_password_hasing.html on line 143

Training

"Winners make choices,
losers make excuses."
Decide to be a Winner!!!!

±Arrows Getting Started

± Phase 1
Planning

± Website Tools

± Phase 3
Conceptual Design

± Helpful Information

± Phase 4
Physical Design

± Phase 5
Testing

± Phase 6
Implement and Market Website

± Other Web Development Items

± Multimedia

± Useful Utilities

± Programming

± Advanced Programming

± Microsoft Office Products

± Computer Maintenance

± Other

Web Design

NOTE: This is a collection of information and links collected over the years that might provide useful information. A Safer Company LLC does not guarantee, endorse or approve any of these links or their scripts. Use these links to other websites at your own risk.


Notice: Undefined variable: message in /hermes/walnacweb03/walnacweb03af/b1896/as.asaferco/webdesign/Templates/code/dir_listing_enhanced.php on line 67

Notice: Undefined variable: message in /hermes/walnacweb03/walnacweb03af/b1896/as.asaferco/webdesign/Templates/code/dir_listing_enhanced.php on line 72

Notice: Undefined variable: print_file_data in /hermes/walnacweb03/walnacweb03af/b1896/as.asaferco/webdesign/Templates/code/dir_listing_enhanced.php on line 127

Warning: Use of undefined constant r - assumed 'r' (this will throw an Error in a future version of PHP) in /hermes/walnacweb03/walnacweb03af/b1896/as.asaferco/code/F_get_page_title_Enh.php on line 28

Warning: Use of undefined constant r - assumed 'r' (this will throw an Error in a future version of PHP) in /hermes/walnacweb03/walnacweb03af/b1896/as.asaferco/code/F_get_page_title_Enh.php on line 28

Warning: Use of undefined constant r - assumed 'r' (this will throw an Error in a future version of PHP) in /hermes/walnacweb03/walnacweb03af/b1896/as.asaferco/code/F_get_page_title_Enh.php on line 28

Notice: Undefined variable: print_folder_data in /hermes/walnacweb03/walnacweb03af/b1896/as.asaferco/webdesign/Templates/code/dir_listing_enhanced.php on line 160

Notice: Undefined variable: message in /hermes/walnacweb03/walnacweb03af/b1896/as.asaferco/webdesign/Templates/code/WebDesign_toc.php on line 12

Notice: Undefined variable: message in /hermes/walnacweb03/walnacweb03af/b1896/as.asaferco/webdesign/Programming/php/php_password_hasing.html on line 251

PHP - Password Hashing

Password hashing is a way of encrypting a password before it is stored so someone cannot see the password.

A fixed length hash for any string can easily be generated with PHP.

<?php
   $ip_hash = sha1($password);
   ?>

It is difficult to recover the original string from a hash.

Password hasing can be used to authenticate a user. The hash of the password the user enters in to the form can be compared to the value of the stored password.

Hashing Algorithms

  • Most Common Algorithms
    • MD5 - md5() - returns a 128-bit hash (32 hexadecimal characters)
    • Secure Hashing Algorithm 1 (or SHA-1) possible weak but adequate security for most applications - returns a 160-bit hash (40 hexadecimal characters)
  • stronger algorithms - SHA-256 and SHA-512 are recommended
  • Data Encryption Standard (DES) hashes should be avoided because they only use 56 bits and are not strong enough.
<?php    /* Check user details */
$passwordHash = sha1($_POST['password']);
$sql = 'SELECT username FROM user WHERE username = ? AND passwordHash = ?';  
$result = $db->query($sql, array($_POST['username'], $passwordHash));
if ($result->numRows() < 1)  
{
	/* Access denied */      
	echo 'Sorry, your username or password was incorrect!';  
}
else
{
	/* Log user in */      
	printf('Welcome back %s!', $_POST['username']);
}
?>

 

<?php
	$string = "mypassword"; 
  	printf("Original: %s<br />", $string); 
  	printf("MD5 hash: %s<br />", md5($string)); 
  	printf("SHA-1 hash: %s<br />", sha1($string));
  ?>

The code above shows:

Original: mypassword
MD5 hash: 34819d7beeabb9260a5c854bc85b3e44
SHA-1 hash: 91dfd9ddb4198affc5c194cd8ce6d338fde470e2
<?php
	/* Store user details */
 	$sql = 'INSERT INTO user (username, passwordHash) VALUES (?, SHA1(?))';  
	$result = $db->query($sql, array($_POST['username'], $_POST['password']));    
?>

Strong Passwords

  • Do not use words that are in a dictionary
  • Longer passwords are better
  • Add special characters and digits

Adding Security to Passwords

Create a random string of characters of a predetermined length and prepend this string to the plain text password. Store the "salt" and the password hash. The password hash will be different each time generated if the string called a "salt" is long enough and random.

To validate the user, use the salt from the database and add the user supplied password and put it into the hashing algorithm, then compare the result with the hash stored in that user's profile.

<?php
	define('SALT_LENGTH', 9);
	echo generateHash($string);
	function generateHash($plainText, $salt = null)  
    {      
    	if ($salt === null)      
        {          
        	$salt = substr(md5(uniqid(rand(), true)), 0, SALT_LENGTH);
        }
        else
        {
        	$salt = substr($salt, 0, SALT_LENGTH);
        }
        return $salt . sha1($salt . $plainText);
    }
?>

The code above shows:

17b5b6961dad03efd98365f1cefa2b9eea87333670e7dae66

Note: The function above is limited in that the maximum salt length is 32 characters. You may wish to write your own salt generator to overcome this limit and increase the entropy of the string.

top of page


Warning: Use of undefined constant PHP_SELF - assumed 'PHP_SELF' (this will throw an Error in a future version of PHP) in /hermes/walnacweb03/walnacweb03af/b1896/as.asaferco/webdesign/Programming/php/php_password_hasing.html on line 380

Page last updated: June 08, 2012 15:16 PM

It is all about:
Content and Navigation...

Web Site by: A Safer Company LLC