. If so could you make a tutorial on that and release it soon?
security: password encryption
security: password encryption
Hi Jacek could you pleeeeeeeeeeaaaaaase make a tutorial on password encryption? I've read from many users recently in some forums that a simple md5 or sha1 isn't good enough even for a small personall website, so I tried to find some tutorials on how to encrypt or hash user's password, to access a page for example, but most of them use simple md5 or are hardly understood .
If so could you make a tutorial on that and release it soon?
. If so could you make a tutorial on that and release it soon?
Re: security: password encryption
There is absolutely no need for a tutorial on this. There are several hashing algorithms available, my personal favorite being Whirlpool.
Here is a list of all the algorithms available for the hash() function and their output:
[syntax=text]
md2 32 a9046c73e00331af68917d3804f70655
md4 32 866437cb7a794bce2b727acc0362ee27
md5 32 5d41402abc4b2a76b9719d911017c592
sha1 40 aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d
sha256 64 2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e730
sha384 96 59e1748777448c69de6b800d7a33bbfb9ff1b463e44354c3553
sha512 128 9b71d224bd62f3785d96d46ad3ea3d73319bfbc2890caadae2d
ripemd128 32 789d569f08ed7055e94b4289a4195012
ripemd160 40 108f07b8382412612c048d07d13f814118445acd
ripemd256 64 cc1d2594aece0a064b7aed75a57283d9490fd5705ed3d66bf9a
ripemd320 80 eb0cf45114c56a8421fbcb33430fa22e0cd607560a88bbe14ce
whirlpool 128 0a25f55d7308eca6b9567a7ed3bd1b46327f0f1ffdc804dd8bb
tiger128,3 32 a78862336f7ffd2c8a3874f89b1b74f2
tiger160,3 40 a78862336f7ffd2c8a3874f89b1b74f2f27bdbca
tiger192,3 48 a78862336f7ffd2c8a3874f89b1b74f2f27bdbca39660254
tiger128,4 32 1c2a939f230ee5e828f5d0eae5947135
tiger160,4 40 1c2a939f230ee5e828f5d0eae5947135741cd0ae
tiger192,4 48 1c2a939f230ee5e828f5d0eae5947135741cd0aefeeb2adc
snefru 64 7c5f22b1a92d9470efea37ec6ed00b2357a4ce3c41aa6e28e3b
gost 64 a7eb5d08ddf2363f1ea0317a803fcef81d33863c8b2f9f6d7d1
adler32 8 062c0215
crc32 8 3d653119
crc32b 8 3610a686
haval128,3 32 85c3e4fac0ba4d85519978fdc3d1d9be
haval160,3 40 0e53b29ad41cea507a343cdd8b62106864f6b3fe
haval192,3 48 bfaf81218bbb8ee51b600f5088c4b8601558ff56e2de1c4f
haval224,3 56 92d0e3354be5d525616f217660e0f860b5d472a9cb99d6766be
haval256,3 64 26718e4fb05595cb8703a672a8ae91eea071cac5e7426173d4c
haval128,4 32 fe10754e0b31d69d4ece9c7a46e044e5
haval160,4 40 b9afd44b015f8afce44e4e02d8b908ed857afbd1
haval192,4 48 ae73833a09e84691d0214f360ee5027396f12599e3618118
haval224,4 56 e1ad67dc7a5901496b15dab92c2715de4b120af2baf661ecd92
haval256,4 64 2d39577df3a6a63168826b2a10f07a65a676f5776a0772e0a87
haval128,5 32 d20e920d5be9d9d34855accb501d1987
haval160,5 40 dac5e2024bfea142e53d1422b90c9ee2c8187cc6
haval192,5 48 bbb99b1e989ec3174019b20792fd92dd67175c2ff6ce5965
haval224,5 56 aa6551d75e33a9c5cd4141e9a068b1fc7b6d847f85c3ab16295
haval256,5 64 348298791817d5088a6de6c1b6364756d404a50bd64e645035f[/syntax]
The longest hashes has been cropped.
Here's how you call the hash function:
[syntax=php]$hash = hash($algorithm, $password);[/syntax]
What you can do is add a salt to your password to further add some security. A salt is a string that's added to the password before hashing it to produce a different string. That way, if anyone actually cracks the password, it will be of no use.
Example:
[syntax=php]$password = 'Password';
$salt = 'salt';
$password = $password.$salt;
$hash = hash($algorithm,$password);[/syntax]
If anyone manages to crack this hash ( which will be extremely difficult if you use for example Whirlpool, which has yet to be cracked ) they will get the string Passwordsalt, which isn't the actual password.
There are tonnes of information on the internets about hashing, encrypting and decrypting data. I suggest you read a bit on it:
http://www.php.net/manual/en/function.hash.php
/Edit; I will try and find the average time needed to crack each encryption. I'll post it here as an edit if I find it.
/Edit2; I did not find the page I was looking for, but I did find a rather interesting article on how you should store your passwords properly.
http://crackstation.net/hashing-security.htm
By the way, an encryption is always reversible. A hash is designed to not be reversible.
Here is a list of all the algorithms available for the hash() function and their output:
[syntax=text]
md2 32 a9046c73e00331af68917d3804f70655
md4 32 866437cb7a794bce2b727acc0362ee27
md5 32 5d41402abc4b2a76b9719d911017c592
sha1 40 aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d
sha256 64 2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e730
sha384 96 59e1748777448c69de6b800d7a33bbfb9ff1b463e44354c3553
sha512 128 9b71d224bd62f3785d96d46ad3ea3d73319bfbc2890caadae2d
ripemd128 32 789d569f08ed7055e94b4289a4195012
ripemd160 40 108f07b8382412612c048d07d13f814118445acd
ripemd256 64 cc1d2594aece0a064b7aed75a57283d9490fd5705ed3d66bf9a
ripemd320 80 eb0cf45114c56a8421fbcb33430fa22e0cd607560a88bbe14ce
whirlpool 128 0a25f55d7308eca6b9567a7ed3bd1b46327f0f1ffdc804dd8bb
tiger128,3 32 a78862336f7ffd2c8a3874f89b1b74f2
tiger160,3 40 a78862336f7ffd2c8a3874f89b1b74f2f27bdbca
tiger192,3 48 a78862336f7ffd2c8a3874f89b1b74f2f27bdbca39660254
tiger128,4 32 1c2a939f230ee5e828f5d0eae5947135
tiger160,4 40 1c2a939f230ee5e828f5d0eae5947135741cd0ae
tiger192,4 48 1c2a939f230ee5e828f5d0eae5947135741cd0aefeeb2adc
snefru 64 7c5f22b1a92d9470efea37ec6ed00b2357a4ce3c41aa6e28e3b
gost 64 a7eb5d08ddf2363f1ea0317a803fcef81d33863c8b2f9f6d7d1
adler32 8 062c0215
crc32 8 3d653119
crc32b 8 3610a686
haval128,3 32 85c3e4fac0ba4d85519978fdc3d1d9be
haval160,3 40 0e53b29ad41cea507a343cdd8b62106864f6b3fe
haval192,3 48 bfaf81218bbb8ee51b600f5088c4b8601558ff56e2de1c4f
haval224,3 56 92d0e3354be5d525616f217660e0f860b5d472a9cb99d6766be
haval256,3 64 26718e4fb05595cb8703a672a8ae91eea071cac5e7426173d4c
haval128,4 32 fe10754e0b31d69d4ece9c7a46e044e5
haval160,4 40 b9afd44b015f8afce44e4e02d8b908ed857afbd1
haval192,4 48 ae73833a09e84691d0214f360ee5027396f12599e3618118
haval224,4 56 e1ad67dc7a5901496b15dab92c2715de4b120af2baf661ecd92
haval256,4 64 2d39577df3a6a63168826b2a10f07a65a676f5776a0772e0a87
haval128,5 32 d20e920d5be9d9d34855accb501d1987
haval160,5 40 dac5e2024bfea142e53d1422b90c9ee2c8187cc6
haval192,5 48 bbb99b1e989ec3174019b20792fd92dd67175c2ff6ce5965
haval224,5 56 aa6551d75e33a9c5cd4141e9a068b1fc7b6d847f85c3ab16295
haval256,5 64 348298791817d5088a6de6c1b6364756d404a50bd64e645035f[/syntax]
The longest hashes has been cropped.
Here's how you call the hash function:
[syntax=php]$hash = hash($algorithm, $password);[/syntax]
What you can do is add a salt to your password to further add some security. A salt is a string that's added to the password before hashing it to produce a different string. That way, if anyone actually cracks the password, it will be of no use.
Example:
[syntax=php]$password = 'Password';
$salt = 'salt';
$password = $password.$salt;
$hash = hash($algorithm,$password);[/syntax]
If anyone manages to crack this hash ( which will be extremely difficult if you use for example Whirlpool, which has yet to be cracked ) they will get the string Passwordsalt, which isn't the actual password.
There are tonnes of information on the internets about hashing, encrypting and decrypting data. I suggest you read a bit on it:
http://www.php.net/manual/en/function.hash.php
/Edit; I will try and find the average time needed to crack each encryption. I'll post it here as an edit if I find it.
/Edit2; I did not find the page I was looking for, but I did find a rather interesting article on how you should store your passwords properly.
http://crackstation.net/hashing-security.htm
By the way, an encryption is always reversible. A hash is designed to not be reversible.
Re: security: password encryption
Thanks for the reply and all that great stuff you 've shared! 
I 'm going to give a more in depth read and excersise soon, i hope.
Just let me get this straight, cause i got a little bit confused
if i just md5, or sha1 my passwords like this:
[syntax=php]
<?php
$password = md5('password');
echo $password;
?>
[/syntax]
isn't secure enough. But if i encrypt my passwords with md5 or sha1 like the way you 've said
is it secure enough for a site, or better use other hashing algorithms like the Whirlpool??
I 'm going to give a more in depth read and excersise soon, i hope.
Just let me get this straight, cause i got a little bit confused
if i just md5, or sha1 my passwords like this:
[syntax=php]
<?php
$password = md5('password');
echo $password;
?>
[/syntax]
isn't secure enough. But if i encrypt my passwords with md5 or sha1 like the way you 've said
What you can do is add a salt to your password to further add some security. A salt is a string that's added to the password before hashing it to produce a different string. That way, if anyone actually cracks the password, it will be of no use.
Example:
Syntax: [ Hide ]
Using PHP Syntax Highlighting
$password = 'Password';
$salt = 'salt';
$password = $password.$salt;
$hash = hash($algorithm,$password);
Parsed in 0.041 seconds, using GeSHi 1.0.8.10
If anyone manages to crack this hash ( which will be extremely difficult if you use for example Whirlpool, which has yet to be cracked ) they will get the string Passwordsalt, which isn't the actual password.
is it secure enough for a site, or better use other hashing algorithms like the Whirlpool??
-
bowersbros
- Posts: 534
- Joined: Thu May 05, 2011 8:19 pm
Re: security: password encryption
Quick addition to this:
Does anyone know the difference between openssl_digest, hash, hash_hmac, crypt, bcrypt and scrypt?
Does anyone know the difference between openssl_digest, hash, hash_hmac, crypt, bcrypt and scrypt?
I don't like to brag, but I wasn't circumcised. I was circumnavigated.
Want to learn something new? Or maybe reinforce what you already know? Or just help out? Please subscribe to my videos: http://goo.gl/58pN9
Want to learn something new? Or maybe reinforce what you already know? Or just help out? Please subscribe to my videos: http://goo.gl/58pN9
Re: security: password encryption
After some quick knowledge refresh I came to the conclusion that:
hash is the exact same thing as openssl_digest.
hash_hmac is the same thing as hash except it runs twice every time it's called.
The difference between hash and crypt is that crypt is slower, and computationally expensive. So it is less vulnerable to brute forcing.
bcrypt is slower than crypt and uses more memory, and therefore even less vulnerable to brute forcing.
scrypt is an experimental function that's not yet available for php but is supposed to use A LOT more memory than bcrypt. ( bcrypt = 4 - 5kb memory, scrypt = 20 - 40mb memory )
hash is the exact same thing as openssl_digest.
hash_hmac is the same thing as hash except it runs twice every time it's called.
The difference between hash and crypt is that crypt is slower, and computationally expensive. So it is less vulnerable to brute forcing.
bcrypt is slower than crypt and uses more memory, and therefore even less vulnerable to brute forcing.
scrypt is an experimental function that's not yet available for php but is supposed to use A LOT more memory than bcrypt. ( bcrypt = 4 - 5kb memory, scrypt = 20 - 40mb memory )