PHP Developers Network

A community of PHP developers offering assistance, advice, discussion, and friendship.
 
Loading
It is currently Mon Aug 19, 2019 4:07 am

All times are UTC - 5 hours




Post new topic Reply to topic  [ 4 posts ] 
Author Message
PostPosted: Mon Feb 24, 2014 1:14 pm 
Offline
Forum Regular
User avatar

Joined: Tue Sep 28, 2010 11:41 am
Posts: 984
Location: Columbus, Ohio
So I was revisiting old code written several years ago for hashing passwords, converting the site over to use password_hash instead.

Basically it used a sitewide salt and a row specific pepper, then did a SHA256 on it, and of course, the result is the hex hash. When I appended the random pepper to it, well if someone were to look at the list of passwords, it was quite clear.. I like to make it not as easy to "see". I know it practically not such a big deal, as usually, if they found a way to get the database, they most likely got a way to put something like a hack shell on the site to see the raw php code too...

So anyhow, I went to convert it over from hex "digits" over to every typeable character (without using the ALT+### method), chr(33)-chr(126). So what I did back then was just split the hash into 4 "digit" chunks, use hexdec() to get that back to an actual number, then covert that back over to a 3 digit base94 number, and string them all together. Below is there code off the top of my head, but the main gist of it. You end up with a SHA256 hashed password + pepper stored in a char(60) field, instead of a char(76).

Anyhow, it had me wondering, I'm sure there has to be a more efficient way to convert between the two bases, and know there are some people here who are way more advanced than me, and figured I'd ask to satisfy the geekness in me. I was thinking of applying something similar to the result of password_hash(), what can I say, it drive me nuts seeing a "unique" field with repeating patterns... (I need to get over it LOL). Anyhow, when comparing going from what be Base 65 ( $ . / a-z A-Z 0-9) over to a Base94, it didn't work enough to save bytes in storage, so without knowing how to convert without "chunking" it, just went with raw password_hash() results.

Thanks.

Syntax: [ Download ] [ Hide ]
function pass_hash($strPassword,$strPepper=NULL) {     
        if (is_null($strPepper) || $strPepper=='') {
                $strPepper = '';
                for($t=0;$t<12;$t++) { $strPepper .= chr(mt_rand(33,126)); }
        } else {
                while (strlen($strPepper)<12) { $strPepper .= $strPepper; }
                $strPepper = substr($strPepper,0,12);
        }
        $strMash =  SITE_SALT.$strPassword.$strPepper;
        $strHash64 = hash('sha256',$strMash);
        $strHash94 = '';
        foreach(str_split($strHash64,4) as $c) {
                $n = hexdec($c);
                $a = floor($n / 8836);
                $n -= 8836 * $a;
                $b = floor($n / 94);
                $c = $n - 94 * $b;
                $strHash94 .= chr(33+$a) . chr(33+$b) . chr(33+$c);
        }
        return $strPepper . $strHash94;
}

function pass_check($strPassword,$strHash) {
        $strPepper = substr($strHash,0,12);
        $strReHash = pass_hash($strPassword,$strPepper);
        return ($strHash==$strRehash);
}

 


Top
 Profile  
 
PostPosted: Mon Feb 24, 2014 1:59 pm 
Offline
Spammer :|
User avatar

Joined: Wed Oct 15, 2008 2:35 am
Posts: 6617
Location: WA, USA
There's no real benefit to trying to obscure the password hash - all you've done is add more processing time in order to compress the hash into a smaller string. A key tenant of cryptography is that knowledge of the algorithm used should not compromise anything, and once (not if) someone discovers your obfuscation method all of its benefit is immediately lost.
Salts are not about making it harder to crack a password but about making it harder to crack many passwords at once.

I don't get what you're saying about what was so clear when you appended the pepper: as long as you turn it into a hexadecimal string to match the hash output (eg, with bin2hex) then it all looks the same.

Additionally, no thread like this should go without a mention of how one should be using password_hash() or bcrypt instead of trying to roll their own.


Top
 Profile  
 
PostPosted: Mon Feb 24, 2014 3:05 pm 
Offline
Forum Regular
User avatar

Joined: Tue Sep 28, 2010 11:41 am
Posts: 984
Location: Columbus, Ohio


Top
 Profile  
 
PostPosted: Mon Feb 24, 2014 4:29 pm 
Offline
Spammer :|
User avatar

Joined: Wed Oct 15, 2008 2:35 am
Posts: 6617
Location: WA, USA


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 4 posts ] 

All times are UTC - 5 hours


Who is online

Users browsing this forum: No registered users and 4 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group