Easy high security crypto function
Posted: Thu Sep 29, 2011 3:38 am
Hello everyone!
I was having some problems with crypt() so I wrote a function to make hashing passwords MUCH easier:
if just data is passed to it, it will hash it with a randomly generated salt then append the hash to the end. if you wish to compare input to a hash, you just feed it the input, then the hash, it will retrieve the salt from the hash and then hash the input with it, and compare it to the hash you fed it. It is a cryptographic function optimized for hashing passwords
I hope some of you find this useful. I published this on the crypt() manual, but I saw this forum and liked it, and wanted to make a first post that was useful to someone. Hope this helps, criticism is welcome! Moore's law compatibility is controlled via the $strength var, that controls the difficulty of the hashing function. This is as secure as password hashing really gets.
It's my own drop in replacement for PHPass basically.
I was having some problems with crypt() so I wrote a function to make hashing passwords MUCH easier:
Code: Select all
<?php
function hasher($info, $encdata = false)
{
$strength = "08";
//if encrypted data is passed, check it against input ($info)
if ($encdata) {
if (substr($encdata, 0, 60) == crypt($info, "$2a$".substr($encdata, 4, 2)."$".substr($encdata, 60))) {
return true;
}
else {
return false;
}
}
else {
//make a salt and hash it with input, and add salt to end
$salt = "";
for ($i = 0; $i < 22; $i++) {
$salt .= substr("./ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789", mt_rand(0, 63), 1);
}
//return 82 char string (60 char hash & 22 char salt)
return crypt($info, "$2a$".$strength."$".$salt).$salt;
}
}
?>
I hope some of you find this useful. I published this on the crypt() manual, but I saw this forum and liked it, and wanted to make a first post that was useful to someone. Hope this helps, criticism is welcome! Moore's law compatibility is controlled via the $strength var, that controls the difficulty of the hashing function. This is as secure as password hashing really gets.
It's my own drop in replacement for PHPass basically.