0

I just recently began looking into password encryption. My current code looks like this :

<?php
define('salt','7hPqMO(m=F+!!L6(#Yhp-CdF, &Q}+cIrA;c@wcP(E--V<qRmq!v*aSnM;H=4cD0');
$password = "CatsRsoCool47";
$myHash = hash( 'whirlpool',salt.$password );

echo $myHash;
?>

How would I check if the user inputed the correct password? I assume there is some sort of built in function that takes the parameters of the salt,hash and the encryption method and returns a boolean.

Also, what is the safest way of generating a salt? The current salt I have is static and the same for every user. Should I do something like 

$salt = Time()+'7hPqMO(m=F+!!L6(#Yhp-CdF, &Q}+cIrA;c@wcP(E--V<qRmq!v*aSnM;H';

If it was done like so, wouldn't I have to store the timestamp in the database per user. Isn't that a security flaw?

I am lost.... Please suggest the best way to hash and check passwords. A script would be nice to look at :) This question might also be a possible duplicate, if so I'm very sorry

1 Answers1

1

Basically, when a password comes in, whatever you did to store the password, you use the same thing applied to the incoming password.

You can then check that the two salt+hash values are the same.

It's as simple as that - do the same thing to the two passwords and you should get the same result.

You're right to be worried about using the same salt every time. What you really want to do it to use a different salt each time. You can then store the salt alongside the password. It sounds counter-intuitive, but this is perfectly OK. Having the salt doesn't allow you to reverse the hash as the process isn't reversible anyway.

Then, when you want to check a password, you look up the user, get their salt, use it to apply the hash and then check what you end up with against their stored hash.

For example (using a constant salt), you might have something like:

<?php
define('salt','7hPqMO(m=F+!!L6(#Yhp-CdF, &Q}+cIrA;c@wcP(E--V<qRmq!v*aSnM;H=4cD0');

$incomingPassword = $_POST['password'];
$storedHash = getStoredHash( $_POST['username'] );

$incomingHash = hash( 'whirlpool',salt.$incomingPassword );

if ( $incomingHash == $storedHash ) {
  echo('Passwords match!');
}

?>

Hopefully it's easy to see how you might use this technique with a moving salt.

Note - this is not encryption - the whole point is that the method is one way. You generate something that cannot be used to retrieve the actual password. Encryption implies the process is reversible.

Attacks on hashed passwords are done by what's called a 'rainbow table'.

The attacker builds a table of possible password alongside their corresponding hashes using the same technique that you use. This table is then compared against your stored passwords. When there's a match the attacker can then infer the password that was stored for that row.

Having a single salt makes this easier as the technique is identical for every password. If you use a different salt per row then the technique has a random factor meaning the attacker needs a MUCH bigger rainbow table to attack you with - essentially a full sized table per row.

Rob Baillie
  • 3,436
  • 2
  • 20
  • 34
  • *"Encryption implies the process is reversible."* --- You mean "hashing". – Funk Forty Niner Apr 06 '14 at 22:55
  • 1
    @Fred-ii- I'm assuming that you are correcting me. No I don't. I mean that using the word "encryption" to describe what you do to store a password is incorrect. If you encrypt something then the process can be reversed. I.E., if you have the key you can read the encrypted message. When you hash something you perform a one-way process. You can brute-force to get a match for the message, but there is no 'key' to reverse the hash. In short. **This is not encryption, encryption implies the process is reversible. What you are doing is not reversible, therefore it's not encryption** – Rob Baillie Apr 06 '14 at 22:59
  • @Rob Baillie Whats the built in function to read this hash? Could you show a specific example... Do you just hash the current hash? :P –  Apr 06 '14 at 23:06
  • Oh Lordy, sorry... my dyslexia has gotten the best of me "again". @RobBaillie I read it as "irreversible". I constantly have to re-read stuff which is a major pain in the neck for me. – Funk Forty Niner Apr 06 '14 at 23:24
  • No, you don't hash the hash the hash, you hash the incoming password. My example would be exactly the same as the one you provide, but with `$password` replaced with `$incomingpassword`... – Rob Baillie Apr 07 '14 at 05:43
  • No problem @Fred-ii-, you gave me an excuse to get all ranty about something I think is very important. – Rob Baillie Apr 07 '14 at 05:51
  • what does the getStoredHash function do? Also what is the value of $storedPassword? –  Apr 07 '14 at 12:43
  • getStoredHash would return the hashed password that you previously stored against the user. That is `$myHash` from your original example. Apologies for the confusion with `$storedPassword`. Both it and the incoming version should, of course, be `Hash` rather than `Password`. My example has been corrected. – Rob Baillie Apr 07 '14 at 14:02