Password encryption and Sting Split Question.

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
spedula
Forum Commoner
Posts: 81
Joined: Mon Mar 29, 2010 5:24 pm

Password encryption and Sting Split Question.

Post by spedula »

Hi, I was bored yesterday and came up with this idea for password encryption.

Basically, take the password that the user supplies at registration and split it into individual characters. Assign a number to each character and then combine all the resulting numbers into a string. So instead of 2+2 = 4, 2+2 = 22. Then take this string and use it as a SALT for the md5 hashing of the pw.

This is the function that I made to achieve this. Please, comment on it because I'm pretty sure that there is a much more elegant way to achieve this or I did something wrong somewhere. Haven't had time to test it out yet.

Code: Select all


function splitPw($inputstring) {
  for($i=0;$i<strlen($inputstring);$i++)
  {
     $letterarray[]=$inputstring[$i];
        if ($letterarray == 'a')  {
           $b[$i] = 1;
        }
       else if ($letterarray == 'b') {
           $b[$i] = 2;
        }
        else if ($letterarray == 'c')  {
           $b[$i] = 3;
        }
       else if ($letterarray == 'd') {
           $b[$i] = 4;
        }
       else if ($letterarray == 'e')  {
           $b[$i] = 5;
        }
       else if ($letterarray == 'f') {
           $b[$i] = 6;
        }
       else if ($letterarray == 'g')  {
           $b[$i] = 7;
        }
       else if ($letterarray == 'h') {
           $b[$i] = 8;
        }
       else if ($letterarray == 'i')  {
           $b[$i] = 9;
        }
       else if ($letterarray == 'j') {
           $b[$i] = 10;
        }
        else if ($letterarray == 'k')  {
           $b[$i] = 11;
        }
       else if ($letterarray == 'l') {
           $b[$i] = 12;
        }
        else if ($letterarray == 'm')  {
           $b[$i] = 13;
        }
       else if ($letterarray == 'n') {
           $b[$i] = 14;
        }
       else if ($letterarray == 'o') {
           $b[$i] = 15;
        }
        else if ($letterarray == 'p')  {
           $b[$i] = 16;
        }
       else if ($letterarray == 'q') {
           $b[$i] = 17;
        }
        else if ($letterarray == 'r')  {
           $b[$i] = 18;
        }
       else if ($letterarray == 's') {
           $b[$i] = 19;
        }
       else if ($letterarray == 't') {
           $b[$i] = 20;
        }
        else if ($letterarray == 'u')  {
           $b[$i] = 21;
        }
       else if ($letterarray == 'v') {
           $b[$i] = 22;
        }
        else if ($letterarray == 'w')  {
           $b[$i] = 23;
        }
       else if ($letterarray == 'x') {
           $b[$i] = 24;
        }
        else if ($letterarray == 'y')  {
           $b[$i] = 25;
        }
       else if ($letterarray == 'z') {
           $b[$i] = 26;
        }
      $pw == $pw.$b[$i];
   }
return md5($pw.$inputstring);
}

$password = splitPw($_POST('password'));

Thanks! :wink:
User avatar
Celauran
Moderator
Posts: 6427
Joined: Tue Nov 09, 2010 2:39 pm
Location: Montreal, Canada

Re: Password encryption and Sting Split Question.

Post by Celauran »

You could try something like:

Code: Select all

$alphabet = 'abcdefghijklmnopqrstuvwxyz';

for ($i = 0; $i < strlen($password); $i++)
{
    $b[$i] = strpos($alphabet, $password[$i]);
}
But that still leaves some significant shortcomings. What happens if their password contains capital letters, or numbers, or special characters?
User avatar
spedula
Forum Commoner
Posts: 81
Joined: Mon Mar 29, 2010 5:24 pm

Re: Password encryption and Sting Split Question.

Post by spedula »

Hmm.... Yes. I see what you mean. I haven't accounted for that.

Thanks for the strpos() idea. I didn't know about this function. If you run that function and it would it return false... so...

Would if be possible to do something like this?

Code: Select all


for ($i = 0; $i < strlen($password); $i++)
{
    $b[$i] = strpos($alphabet, $password[$i]);
    if(!$b[$i]) {
          $b[$i] = strpos($CAPalphabet, $password[$i]);
          if(!$b[$i]) {
           // Special Char Code
          }
    }
}

User avatar
Celauran
Moderator
Posts: 6427
Joined: Tue Nov 09, 2010 2:39 pm
Location: Montreal, Canada

Re: Password encryption and Sting Split Question.

Post by Celauran »

Actually, nevermind with the $alphabet nonsense. I was too busy thinking about Python's translation tables that I missed what might be a much better solution.

Code: Select all

for ($i = 0; $i < strlen($password); $i++)
{
    $b[$i] = ord($password[$i]);
}
ord() seems much better suited to what you're trying to accomplish.
User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

Re: Password encryption and Sting Split Question.

Post by s.dot »

A salt should be unique to each user. This way, two identical passwords are not stored as the same hash in the database. Your salting function would still result in identical passwords being identical hashes.

But for a more elegant approach to your function (this still doesn't account for symbols, spaces, tabs, and other characters)

Code: Select all

function splitPw($input)
{
	$out = '';
	$input = str_split($input);
	$chars = array_merge(range('a', 'z'), range('A', 'Z'), range(0, 9));
	
	foreach ($input AS $char)
	{
		$out .= array_search($char, $chars) + 1;
	}
	
	return $out;
}

echo splitPw('abcdef');
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
User avatar
spedula
Forum Commoner
Posts: 81
Joined: Mon Mar 29, 2010 5:24 pm

Re: Password encryption and Sting Split Question.

Post by spedula »

s.dot

Thanks for the input. I neglected to think that far. My main concern with the random SALT method is that the SALT needs to be stored in the DB anyway, and if so then if someone has access to the DB can still get the value of the SALT for that specific user. Therefore, bypassing the need for the SALT in the first place...

Or am I completely missing the point here... :crazy:
User avatar
Celauran
Moderator
Posts: 6427
Joined: Tue Nov 09, 2010 2:39 pm
Location: Montreal, Canada

Re: Password encryption and Sting Split Question.

Post by Celauran »

The salt + password combo will be stored in the database as an md5 hash. The salt can be recomputed from the user's login form information. To make it unique per user, you could use a combination of username and password to create the salt.
User avatar
spedula
Forum Commoner
Posts: 81
Joined: Mon Mar 29, 2010 5:24 pm

Re: Password encryption and Sting Split Question.

Post by spedula »

OHHHHH

I see now. The way I was going to do it before was to generate a random number, then store it in the DB as well.

What you mentioned is a much better method.

I'm going to go write this out now.

Thanks for the help guys. :D
User avatar
Celauran
Moderator
Posts: 6427
Joined: Tue Nov 09, 2010 2:39 pm
Location: Montreal, Canada

Re: Password encryption and Sting Split Question.

Post by Celauran »

Wait, no, I'm stupid. If the salt is simply composed of username and password, there's really no point in having it.
Post Reply