PHP Developers Network

A community of PHP developers offering assistance, advice, discussion, and friendship.
 
Loading
It is currently Tue Nov 21, 2017 12:32 pm

All times are UTC - 5 hours




Post new topic Reply to topic  [ 7 posts ] 
Author Message
PostPosted: Wed Dec 07, 2011 5:02 am 
Offline
Forum Newbie

Joined: Wed Dec 07, 2011 4:55 am
Posts: 3
Hi there everyone, I'm new year and after browsing the internet for the answer to my troubles i think this is my final resort.

I'm currently working on a web interface system for a client that allows users to login, view manage and control user accounts that are called from a MySQL database. Everything is written and ready to go live bar 1 major function. The secure login.

I currently have a login script that simply runs of plain text for the purpose of development but now that the system is ready to go live i need to get this system working. So here are the details.

The login system , like most, collects the information from the login form and forwards it to loginscript.php. Once there it needs to encrypt the attempted password and compare it to the stored password. This is where i am having the issues.

I need help with the encryption on the attempted password. The stored passwords are encrypted in whirlpool using a 128 character hash.

If there is someone here who has any knowledge in this area I will be truly grateful,

Thanks for reading,

Callum


Top
 Profile  
 
PostPosted: Wed Dec 07, 2011 5:22 am 
Offline
Moderator
User avatar

Joined: Mon Nov 03, 2003 7:13 pm
Posts: 5978
Location: Odessa, Ukraine
Code:
> php -r 'var_dump(in_array("whirlpool", hash_algos()));'
bool(true)


Is there any specific problem you're having? Or you simply don't know where to start?


Top
 Profile  
 
PostPosted: Wed Dec 07, 2011 5:42 am 
Offline
DevNet Master
User avatar

Joined: Sun Feb 15, 2009 12:08 pm
Posts: 2794
Location: .za
http://www.php.net/manual/en/book.hash.php
This might be useful to you

_________________
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering


Top
 Profile  
 
PostPosted: Sun Dec 11, 2011 3:22 pm 
Offline
Forum Newbie

Joined: Wed Dec 07, 2011 4:55 am
Posts: 3
@Weitdan The Major issue im having is i don't know where to start, as i stated i have my login script and i have my whirlpool encrypted passwords, i just don't know how to encrypt the $_POST['username'] and the fact we have a custom 128 character custom hash


Top
 Profile  
 
PostPosted: Sun Dec 11, 2011 4:13 pm 
Offline
DevNet Master
User avatar

Joined: Sun Feb 15, 2009 12:08 pm
Posts: 2794
Location: .za
Syntax: [ Download ] [ Hide ]
string hash ( string $algo , string $data [, bool $raw_output= false ] )

That is how you would hash your $_POST received value; substituting $algo with whirlpool and $data with $_POST['username']

_________________
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering


Top
 Profile  
 
PostPosted: Mon Feb 16, 2015 7:05 am 
Offline
Forum Newbie

Joined: Mon Feb 16, 2015 7:00 am
Posts: 1
Thanks for your reply. Pardon my n00bness. If my data were attacked, the attacker would also have access to the script, and thus the salt. So how would the hash of salt+password be more secure?

So you're saying I should replace the key with hash('sha256', 'asdf324!.#qQ' . $password)?

_________________
Our Actual Exams and Pass4sure 840-423 gre exam provide cipt1 you 100% pass guarantee. You can get access to and exams. Our Pittsburg State University is also very useful tool.


Top
 Profile  
 
PostPosted: Mon Feb 16, 2015 7:29 am 
Offline
Moderator
User avatar

Joined: Tue Nov 09, 2010 3:39 pm
Posts: 6391
Location: Montreal, Canada
The main benefit of a salt is to protect against rainbow table lookups. Even an application-wide random salt is going to change all the hashes, so their list of known hashes no longer works. Per-user salts confound that even more. You're right in assuming that with access to your salts, your hashes, and enough time, an attacker will be able to work out your passwords. This is where Blowfish and the concept of a work factor begin to shine. You simply make it so computationally expensive to try to brute force your passwords that is becomes not worth their time. tl;dr Use bcrypt.

_________________
Supported PHP versions No longer supported versions


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 7 posts ] 

All times are UTC - 5 hours


Who is online

Users browsing this forum: No registered users and 3 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group