PHP Developers Network

A community of PHP developers offering assistance, advice, discussion, and friendship.
 
Loading
It is currently Fri Sep 25, 2020 7:21 pm

All times are UTC - 5 hours




Post new topic Reply to topic  [ 4 posts ] 
Author Message
PostPosted: Thu Sep 29, 2011 3:38 am 
Offline
Forum Newbie

Joined: Thu Sep 29, 2011 3:18 am
Posts: 3
Hello everyone!

I was having some problems with crypt() so I wrote a function to make hashing passwords MUCH easier:

Syntax: [ Download ] [ Hide ]
<?php
function hasher($info, $encdata = false)
{
  $strength = "08";
  //if encrypted data is passed, check it against input ($info)
  if ($encdata) {
    if (substr($encdata, 0, 60) == crypt($info, "$2a$".substr($encdata, 4, 2)."$".substr($encdata, 60))) {
      return true;
    }
    else {
      return false;
    }
  }
  else {
  //make a salt and hash it with input, and add salt to end
  $salt = "";
  for ($i = 0; $i < 22; $i++) {
    $salt .= substr("./ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789", mt_rand(0, 63), 1);
  }
  //return 82 char string (60 char hash & 22 char salt)
return crypt($info, "$2a$".$strength."$".$salt).$salt;
}
}
?>
 

if just data is passed to it, it will hash it with a randomly generated salt then append the hash to the end. if you wish to compare input to a hash, you just feed it the input, then the hash, it will retrieve the salt from the hash and then hash the input with it, and compare it to the hash you fed it. It is a cryptographic function optimized for hashing passwords

I hope some of you find this useful. I published this on the crypt() manual, but I saw this forum and liked it, and wanted to make a first post that was useful to someone. Hope this helps, criticism is welcome! Moore's law compatibility is controlled via the $strength var, that controls the difficulty of the hashing function. This is as secure as password hashing really gets.

It's my own drop in replacement for PHPass basically.


Last edited by fourthwall on Thu Sep 29, 2011 10:07 am, edited 1 time in total.

Top
 Profile  
 
PostPosted: Thu Sep 29, 2011 5:17 am 
Offline
DevNet Resident
User avatar

Joined: Sun Sep 03, 2006 5:19 am
Posts: 1579
Location: Sofia, Bulgaria
1. I don't see what problem with crypt() you had, since you *are* using crypt here.
2. These are two functions rolled into one, a bad smell. I'd split them into hash() and check() halves
3. When checking you are using the $strength as defined in the function not in the hash. This is not necessarily bad, but you must be aware that it will make your hashes not backward compatible.


Top
 Profile  
 
PostPosted: Thu Sep 29, 2011 6:13 am 
Offline
Forum Newbie

Joined: Thu Sep 29, 2011 3:18 am
Posts: 3
It was meant to be a wrapper to simplify password hashing, as it handles salt generation and doesn't require the client code to store the salt separately and pass it back it etc, I found it useful :) and the strength value, it was just there for people to choose it when they implement it.

This is just a simplified wrapper for crypt()


Top
 Profile  
 
PostPosted: Thu Sep 29, 2011 10:07 am 
Offline
Forum Newbie

Joined: Thu Sep 29, 2011 3:18 am
Posts: 3
Okay, it's now reverse compatible with lower strength hashes, thanks for that


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 4 posts ] 

All times are UTC - 5 hours


Who is online

Users browsing this forum: No registered users and 6 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group