Page 1 of 1

Password hashing

Posted: Thu Feb 12, 2015 9:58 pm
by cap2cap10
Greetings again members of the PHP Technorati. I come to you perplexed by the issues of encryption strength and password
hashing. I need to know how strong is this script against BRUTE FORCE attacks, et al.? Should I add in some type of password
stretching or just settle for a password_hash() security for protecting passwords in a db using one way encryption?

Here is the script:

Code: Select all

function myObscurepass($userpassword, $saltHash=NULL, $mode='sha512'){
        // hash the text //
        $textHash = hash($mode, $userpassword);
        // set where salt will appear in hash //
        $saltStart = strlen($userpassword);
        // if no salt given create random one //
        if($saltHash == NULL) {
            $saltHash = hash($mode, uniqid(rand(), true));
        }
        // add salt into text hash at pass length position and hash it //
        if($saltStart > 0 && $saltStart < strlen($saltHash)) {
            $textHashStart = substr($textHash,0,$saltStart);
            $textHashEnd = substr($textHash,$saltStart,strlen($saltHash));
            $outHash = hash($mode, $textHashEnd.$saltHash.$textHashStart);
        } elseif($saltStart > (strlen($saltHash)-1)) {
            $outHash = hash($mode, $textHash.$saltHash);
        } else {
            $outHash = hash($mode, $saltHash.$textHash);
        }
        // put salt at front of hash //
        $output = $saltHash.$outHash;
        return $output;
        return $saltHash;
    }
 
The law requires I use only algorithms approved by the NIST(National Institute for Standards in Technology) for password hashing
Sha2 Sha3 etc.

Thanks in Adbvance

Batoe

Re: Password hashing

Posted: Fri Feb 13, 2015 3:56 am
by requinix
cap2cap10 wrote:The law requires I use only algorithms approved by the NIST(National Institute for Standards in Technology) for password hashing
Sha2 Sha3 etc.
Can you point out the reference you're using? I'm only aware of recommendations regarding message digests and cryptographic key derivation, neither of which apply to password hashes.