Basically it used a sitewide salt and a row specific pepper, then did a SHA256 on it, and of course, the result is the hex hash. When I appended the random pepper to it, well if someone were to look at the list of passwords, it was quite clear.. I like to make it not as easy to "see". I know it practically not such a big deal, as usually, if they found a way to get the database, they most likely got a way to put something like a hack shell on the site to see the raw php code too...
So anyhow, I went to convert it over from hex "digits" over to every typeable character (without using the ALT+### method), chr(33)-chr(126). So what I did back then was just split the hash into 4 "digit" chunks, use hexdec() to get that back to an actual number, then covert that back over to a 3 digit base94 number, and string them all together. Below is there code off the top of my head, but the main gist of it. You end up with a SHA256 hashed password + pepper stored in a char(60) field, instead of a char(76).
Anyhow, it had me wondering, I'm sure there has to be a more efficient way to convert between the two bases, and know there are some people here who are way more advanced than me, and figured I'd ask to satisfy the geekness in me. I was thinking of applying something similar to the result of password_hash(), what can I say, it drive me nuts seeing a "unique" field with repeating patterns... (I need to get over it LOL). Anyhow, when comparing going from what be Base 65 ( $ . / a-z A-Z 0-9) over to a Base94, it didn't work enough to save bytes in storage, so without knowing how to convert without "chunking" it, just went with raw password_hash() results.
Thanks.
Code: Select all
function pass_hash($strPassword,$strPepper=NULL) {
if (is_null($strPepper) || $strPepper=='') {
$strPepper = '';
for($t=0;$t<12;$t++) { $strPepper .= chr(mt_rand(33,126)); }
} else {
while (strlen($strPepper)<12) { $strPepper .= $strPepper; }
$strPepper = substr($strPepper,0,12);
}
$strMash = SITE_SALT.$strPassword.$strPepper;
$strHash64 = hash('sha256',$strMash);
$strHash94 = '';
foreach(str_split($strHash64,4) as $c) {
$n = hexdec($c);
$a = floor($n / 8836);
$n -= 8836 * $a;
$b = floor($n / 94);
$c = $n - 94 * $b;
$strHash94 .= chr(33+$a) . chr(33+$b) . chr(33+$c);
}
return $strPepper . $strHash94;
}
function pass_check($strPassword,$strHash) {
$strPepper = substr($strHash,0,12);
$strReHash = pass_hash($strPassword,$strPepper);
return ($strHash==$strRehash);
}