Hi there everyone, I'm new year and after browsing the internet for the answer to my troubles i think this is my final resort.
I'm currently working on a web interface system for a client that allows users to login, view manage and control user accounts that are called from a MySQL database. Everything is written and ready to go live bar 1 major function. The secure login.
I currently have a login script that simply runs of plain text for the purpose of development but now that the system is ready to go live i need to get this system working. So here are the details.
The login system , like most, collects the information from the login form and forwards it to loginscript.php. Once there it needs to encrypt the attempted password and compare it to the stored password. This is where i am having the issues.
I need help with the encryption on the attempted password. The stored passwords are encrypted in whirlpool using a 128 character hash.
If there is someone here who has any knowledge in this area I will be truly grateful,
Thanks for reading,
Callum
PHP and Whirlpool Encryption
Moderator: General Moderators
Re: PHP and Whirlpool Encryption
Code: Select all
> php -r 'var_dump(in_array("whirlpool", hash_algos()));'
bool(true)
- social_experiment
- DevNet Master
- Posts: 2793
- Joined: Sun Feb 15, 2009 11:08 am
- Location: .za
Re: PHP and Whirlpool Encryption
http://www.php.net/manual/en/book.hash.php
This might be useful to you
This might be useful to you
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
Re: PHP and Whirlpool Encryption
@Weitdan The Major issue im having is i don't know where to start, as i stated i have my login script and i have my whirlpool encrypted passwords, i just don't know how to encrypt the $_POST['username'] and the fact we have a custom 128 character custom hash
- social_experiment
- DevNet Master
- Posts: 2793
- Joined: Sun Feb 15, 2009 11:08 am
- Location: .za
Re: PHP and Whirlpool Encryption
Code: Select all
string hash ( string $algo , string $data [, bool $raw_output= false ] )“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
Re: PHP and Whirlpool Encryption
Thanks for your reply. Pardon my n00bness. If my data were attacked, the attacker would also have access to the script, and thus the salt. So how would the hash of salt+password be more secure?
So you're saying I should replace the key with hash('sha256', 'asdf324!.#qQ' . $password)?
So you're saying I should replace the key with hash('sha256', 'asdf324!.#qQ' . $password)?
Our Actual Exams and Pass4sure 840-423 gre exam provide cipt1 you 100% pass guarantee. You can get access to and exams. Our Pittsburg State University is also very useful tool.
Re: PHP and Whirlpool Encryption
The main benefit of a salt is to protect against rainbow table lookups. Even an application-wide random salt is going to change all the hashes, so their list of known hashes no longer works. Per-user salts confound that even more. You're right in assuming that with access to your salts, your hashes, and enough time, an attacker will be able to work out your passwords. This is where Blowfish and the concept of a work factor begin to shine. You simply make it so computationally expensive to try to brute force your passwords that is becomes not worth their time. tl;dr Use bcrypt.