Page 1 of 1

Password encryption and Sting Split Question.

Posted: Fri Nov 12, 2010 2:26 pm
by spedula
Hi, I was bored yesterday and came up with this idea for password encryption.

Basically, take the password that the user supplies at registration and split it into individual characters. Assign a number to each character and then combine all the resulting numbers into a string. So instead of 2+2 = 4, 2+2 = 22. Then take this string and use it as a SALT for the md5 hashing of the pw.

This is the function that I made to achieve this. Please, comment on it because I'm pretty sure that there is a much more elegant way to achieve this or I did something wrong somewhere. Haven't had time to test it out yet.

Code: Select all


function splitPw($inputstring) {
  for($i=0;$i<strlen($inputstring);$i++)
  {
     $letterarray[]=$inputstring[$i];
        if ($letterarray == 'a')  {
           $b[$i] = 1;
        }
       else if ($letterarray == 'b') {
           $b[$i] = 2;
        }
        else if ($letterarray == 'c')  {
           $b[$i] = 3;
        }
       else if ($letterarray == 'd') {
           $b[$i] = 4;
        }
       else if ($letterarray == 'e')  {
           $b[$i] = 5;
        }
       else if ($letterarray == 'f') {
           $b[$i] = 6;
        }
       else if ($letterarray == 'g')  {
           $b[$i] = 7;
        }
       else if ($letterarray == 'h') {
           $b[$i] = 8;
        }
       else if ($letterarray == 'i')  {
           $b[$i] = 9;
        }
       else if ($letterarray == 'j') {
           $b[$i] = 10;
        }
        else if ($letterarray == 'k')  {
           $b[$i] = 11;
        }
       else if ($letterarray == 'l') {
           $b[$i] = 12;
        }
        else if ($letterarray == 'm')  {
           $b[$i] = 13;
        }
       else if ($letterarray == 'n') {
           $b[$i] = 14;
        }
       else if ($letterarray == 'o') {
           $b[$i] = 15;
        }
        else if ($letterarray == 'p')  {
           $b[$i] = 16;
        }
       else if ($letterarray == 'q') {
           $b[$i] = 17;
        }
        else if ($letterarray == 'r')  {
           $b[$i] = 18;
        }
       else if ($letterarray == 's') {
           $b[$i] = 19;
        }
       else if ($letterarray == 't') {
           $b[$i] = 20;
        }
        else if ($letterarray == 'u')  {
           $b[$i] = 21;
        }
       else if ($letterarray == 'v') {
           $b[$i] = 22;
        }
        else if ($letterarray == 'w')  {
           $b[$i] = 23;
        }
       else if ($letterarray == 'x') {
           $b[$i] = 24;
        }
        else if ($letterarray == 'y')  {
           $b[$i] = 25;
        }
       else if ($letterarray == 'z') {
           $b[$i] = 26;
        }
      $pw == $pw.$b[$i];
   }
return md5($pw.$inputstring);
}

$password = splitPw($_POST('password'));

Thanks! :wink:

Re: Password encryption and Sting Split Question.

Posted: Fri Nov 12, 2010 2:36 pm
by Celauran
You could try something like:

Code: Select all

$alphabet = 'abcdefghijklmnopqrstuvwxyz';

for ($i = 0; $i < strlen($password); $i++)
{
    $b[$i] = strpos($alphabet, $password[$i]);
}
But that still leaves some significant shortcomings. What happens if their password contains capital letters, or numbers, or special characters?

Re: Password encryption and Sting Split Question.

Posted: Fri Nov 12, 2010 2:56 pm
by spedula
Hmm.... Yes. I see what you mean. I haven't accounted for that.

Thanks for the strpos() idea. I didn't know about this function. If you run that function and it would it return false... so...

Would if be possible to do something like this?

Code: Select all


for ($i = 0; $i < strlen($password); $i++)
{
    $b[$i] = strpos($alphabet, $password[$i]);
    if(!$b[$i]) {
          $b[$i] = strpos($CAPalphabet, $password[$i]);
          if(!$b[$i]) {
           // Special Char Code
          }
    }
}


Re: Password encryption and Sting Split Question.

Posted: Fri Nov 12, 2010 3:01 pm
by Celauran
Actually, nevermind with the $alphabet nonsense. I was too busy thinking about Python's translation tables that I missed what might be a much better solution.

Code: Select all

for ($i = 0; $i < strlen($password); $i++)
{
    $b[$i] = ord($password[$i]);
}
ord() seems much better suited to what you're trying to accomplish.

Re: Password encryption and Sting Split Question.

Posted: Fri Nov 12, 2010 3:05 pm
by s.dot
A salt should be unique to each user. This way, two identical passwords are not stored as the same hash in the database. Your salting function would still result in identical passwords being identical hashes.

But for a more elegant approach to your function (this still doesn't account for symbols, spaces, tabs, and other characters)

Code: Select all

function splitPw($input)
{
	$out = '';
	$input = str_split($input);
	$chars = array_merge(range('a', 'z'), range('A', 'Z'), range(0, 9));
	
	foreach ($input AS $char)
	{
		$out .= array_search($char, $chars) + 1;
	}
	
	return $out;
}

echo splitPw('abcdef');

Re: Password encryption and Sting Split Question.

Posted: Fri Nov 12, 2010 3:18 pm
by spedula
s.dot

Thanks for the input. I neglected to think that far. My main concern with the random SALT method is that the SALT needs to be stored in the DB anyway, and if so then if someone has access to the DB can still get the value of the SALT for that specific user. Therefore, bypassing the need for the SALT in the first place...

Or am I completely missing the point here... :crazy:

Re: Password encryption and Sting Split Question.

Posted: Fri Nov 12, 2010 3:22 pm
by Celauran
The salt + password combo will be stored in the database as an md5 hash. The salt can be recomputed from the user's login form information. To make it unique per user, you could use a combination of username and password to create the salt.

Re: Password encryption and Sting Split Question.

Posted: Fri Nov 12, 2010 3:26 pm
by spedula
OHHHHH

I see now. The way I was going to do it before was to generate a random number, then store it in the DB as well.

What you mentioned is a much better method.

I'm going to go write this out now.

Thanks for the help guys. :D

Re: Password encryption and Sting Split Question.

Posted: Fri Nov 12, 2010 3:53 pm
by Celauran
Wait, no, I'm stupid. If the salt is simply composed of username and password, there's really no point in having it.