Password hashing
Posted: Thu Feb 12, 2015 9:58 pm
Greetings again members of the PHP Technorati. I come to you perplexed by the issues of encryption strength and password
hashing. I need to know how strong is this script against BRUTE FORCE attacks, et al.? Should I add in some type of password
stretching or just settle for a password_hash() security for protecting passwords in a db using one way encryption?
Here is the script:
The law requires I use only algorithms approved by the NIST(National Institute for Standards in Technology) for password hashing
Sha2 Sha3 etc.
Thanks in Adbvance
Batoe
hashing. I need to know how strong is this script against BRUTE FORCE attacks, et al.? Should I add in some type of password
stretching or just settle for a password_hash() security for protecting passwords in a db using one way encryption?
Here is the script:
Code: Select all
function myObscurepass($userpassword, $saltHash=NULL, $mode='sha512'){
// hash the text //
$textHash = hash($mode, $userpassword);
// set where salt will appear in hash //
$saltStart = strlen($userpassword);
// if no salt given create random one //
if($saltHash == NULL) {
$saltHash = hash($mode, uniqid(rand(), true));
}
// add salt into text hash at pass length position and hash it //
if($saltStart > 0 && $saltStart < strlen($saltHash)) {
$textHashStart = substr($textHash,0,$saltStart);
$textHashEnd = substr($textHash,$saltStart,strlen($saltHash));
$outHash = hash($mode, $textHashEnd.$saltHash.$textHashStart);
} elseif($saltStart > (strlen($saltHash)-1)) {
$outHash = hash($mode, $textHash.$saltHash);
} else {
$outHash = hash($mode, $saltHash.$textHash);
}
// put salt at front of hash //
$output = $saltHash.$outHash;
return $output;
return $saltHash;
}
Sha2 Sha3 etc.
Thanks in Adbvance
Batoe