Jump to content



Photo

Hashing a password

hash md5 sha php

  • Please log in to reply
11 replies to this topic

#1 whitebread

whitebread

    Neowinian Senior

  • Joined: 09-April 06
  • Location: Waterloo Region, ON
  • OS: OS X Lion 10.7.4
  • Phone: iPhone 4S

Posted 12 February 2012 - 18:17

Using PHP, is there a built-in function for hashing a password (a string) before storing it in a MySQL database? I'm trying to build a registration page and don't want to store passwords in clear-text.


#2 stevember

stevember

    'But thats just me....'

  • Tech Issues Solved: 2
  • Joined: 13-August 01
  • Location: Cornwall, UK

Posted 12 February 2012 - 18:24

yeah md5() however its good idea to 'salt' it as well.

#3 +Freelancer1111

Freelancer1111

    Neowinian

  • Joined: 11-December 10
  • Location: Germany
  • OS: Windows 7 x64 Ultimate

Posted 12 February 2012 - 18:27

For example, the MD5 hash:
http://php.net/manua...unction.md5.php

#4 OP whitebread

whitebread

    Neowinian Senior

  • Joined: 09-April 06
  • Location: Waterloo Region, ON
  • OS: OS X Lion 10.7.4
  • Phone: iPhone 4S

Posted 12 February 2012 - 18:29

yeah md5() however its good idea to 'salt' it as well.

How would I salt it?

#5 -Alex-

-Alex-

    Noob Hunter

  • Joined: 08-August 06
  • Location: Oslo, Norway

Posted 12 February 2012 - 18:33

Here's a (variation of the) function I use in my sites:

function passwordHash($unencrypted, $usernameOrOtherStaticVar)
{
$salt = md5(strtolower($usernameOrOtherStaticVar) . 'someSaltHere');
return hash('sha512', $salt . $unencrypted);
}


Salted and double hashed :)

#6 Original Poster

Original Poster

    C++ n00b

  • Tech Issues Solved: 1
  • Joined: 15-July 08
  • Location: my room
  • OS: windows 7, backtrack 5, OSx 10.6

Posted 12 February 2012 - 18:35

you could use your own encryption 128 bit anyone?

#7 -Alex-

-Alex-

    Noob Hunter

  • Joined: 08-August 06
  • Location: Oslo, Norway

Posted 12 February 2012 - 18:41

you could use your own encryption 128 bit anyone?

You shouldn't reinvent the wheel when it comes to cryptography... besides SHA512 is (at least) 4x stronger.

#8 Original Poster

Original Poster

    C++ n00b

  • Tech Issues Solved: 1
  • Joined: 15-July 08
  • Location: my room
  • OS: windows 7, backtrack 5, OSx 10.6

Posted 12 February 2012 - 18:45

You shouldn't reinvent the wheel when it comes to cryptography... besides SHA512 is (at least) 4x stronger.



function protect($email) {
$key = 'insert-random-key-here';
$size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_128, MCRYPT_MODE_CBC);
$iv = mcrypt_create_iv($size,MCRYPT_DEV_URANDOM);
return mcrypt_encrypt(MCRYPT_RIJNDAEL_128, $key, $email, MCRYPT_MODE_ECB, $iv);
}

this is what I use to encrypt emails, I am still undecided what to have as my passwords but I have been using md5 for the past 5 years so ya knoowww

obviously I know the benefits of irreversible hashing, but I also know the benefits to a random key which you can then reverse..

have not tried it out but do you think encrypting the hashing would be any use? or just cause an error?

#9 Jose_49

Jose_49

    Neowinian Senior

  • Tech Issues Solved: 2
  • Joined: 30-July 09

Posted 12 February 2012 - 18:47

Learned something new today! Thanks Alex!

#10 n_K

n_K

    Neowinian Senior

  • Tech Issues Solved: 3
  • Joined: 19-March 06
  • Location: here.
  • OS: FreeDOS
  • Phone: Nokia 3315

Posted 12 February 2012 - 19:01

PHP functions:
sha1(), md5(), mcrypt (not always available)

MySQL functions:
sha2(key_size, 'string')
key_size = 192, 256, 512, etc.

#11 -Alex-

-Alex-

    Noob Hunter

  • Joined: 08-August 06
  • Location: Oslo, Norway

Posted 12 February 2012 - 19:14

this is what I use to encrypt emails, I am still undecided what to have as my passwords but I have been using md5 for the past 5 years so ya knoowww

MD5 has been proven to be very insecure nowadays (Google 'rainbow tables'... also it doesn't take very long to crack).

SHA1 has also succumbed to the same fate.

Thus SHA256/512 is recommended nowadays.

Also, using a salt in any of them functions prevents rainbow tables from being used.

Learned something new today! Thanks Alex!

Glad I could teach someone something! :)

#12 pickypg

pickypg

    Neowinian

  • Joined: 28-January 10

Posted 13 February 2012 - 03:13

MD5 has been proven to be very insecure nowadays (Google 'rainbow tables'... also it doesn't take very long to crack).

SHA1 has also succumbed to the same fate.

Yep. The US government has said that government departments must phase our their usage.