Password hashing

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
cap2cap10
Forum Contributor
Posts: 158
Joined: Mon Apr 14, 2008 11:06 pm

Password hashing

Post by cap2cap10 »

Greetings again members of the PHP Technorati. I come to you perplexed by the issues of encryption strength and password
hashing. I need to know how strong is this script against BRUTE FORCE attacks, et al.? Should I add in some type of password
stretching or just settle for a password_hash() security for protecting passwords in a db using one way encryption?

Here is the script:

Code: Select all

function myObscurepass($userpassword, $saltHash=NULL, $mode='sha512'){
        // hash the text //
        $textHash = hash($mode, $userpassword);
        // set where salt will appear in hash //
        $saltStart = strlen($userpassword);
        // if no salt given create random one //
        if($saltHash == NULL) {
            $saltHash = hash($mode, uniqid(rand(), true));
        }
        // add salt into text hash at pass length position and hash it //
        if($saltStart > 0 && $saltStart < strlen($saltHash)) {
            $textHashStart = substr($textHash,0,$saltStart);
            $textHashEnd = substr($textHash,$saltStart,strlen($saltHash));
            $outHash = hash($mode, $textHashEnd.$saltHash.$textHashStart);
        } elseif($saltStart > (strlen($saltHash)-1)) {
            $outHash = hash($mode, $textHash.$saltHash);
        } else {
            $outHash = hash($mode, $saltHash.$textHash);
        }
        // put salt at front of hash //
        $output = $saltHash.$outHash;
        return $output;
        return $saltHash;
    }
 
The law requires I use only algorithms approved by the NIST(National Institute for Standards in Technology) for password hashing
Sha2 Sha3 etc.

Thanks in Adbvance

Batoe
User avatar
requinix
Spammer :|
Posts: 6617
Joined: Wed Oct 15, 2008 2:35 am
Location: WA, USA

Re: Password hashing

Post by requinix »

cap2cap10 wrote:The law requires I use only algorithms approved by the NIST(National Institute for Standards in Technology) for password hashing
Sha2 Sha3 etc.
Can you point out the reference you're using? I'm only aware of recommendations regarding message digests and cryptographic key derivation, neither of which apply to password hashes.
Post Reply