Secure Login Script (md5 & sha1)

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
Toot4fun
Forum Commoner
Posts: 25
Joined: Wed Dec 10, 2003 11:44 am

Secure Login Script (md5 & sha1)

Post by Toot4fun »

I'm looking to create a secure login script that will use hashing to store/verify the user's password. Based on what I've read, I have a few questions that I'd like verified:

1.) sha256 > sha1 > md5. Correct?
2.) The sha1 algorhythm has been compromised. True?
3.) Let's assume that I use sha1 to hash all my passwords. If, down the road, I wish to change what I use to hash the passwords, is this possible if I can't rehash the original password?

I'm relatively new to implementing security features such as these, so any help on the above quesitons or anything related to secure logon scripts would be greatly appreciated.

Thank you!
Brian
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

  1. yes
  2. Weakened, but still relatively strong.
  3. yes. You can either tag all previous entries with a some marker that tells you they are an "old hash" so you can compare using the older algorithm, then update the record to the "new hash" (because you'll likely have the raw password handy) once verified.
Toot4fun
Forum Commoner
Posts: 25
Joined: Wed Dec 10, 2003 11:44 am

Post by Toot4fun »

Great tip on #3 - I really like that idea!

I'm running PHP 4.4.4 - is sha256 supported yet? If so, how is it implemented?

Thanks again!
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

SHA256 is supported (via a script) in many versions of PHP 4. Take a look at my SHA256 class in Code Snippets.
User avatar
DaveTheAve
Forum Contributor
Posts: 385
Joined: Tue Oct 03, 2006 2:25 pm
Location: 127.0.0.1
Contact:

Post by DaveTheAve »

Thanks Feyd, your SHA256 is now implemented in my first Zend Framework project.
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

PHP 51.2 has built in hashing. I use the hash() function in many situations.

This is more of an FYI for other readers as I know your version is lower than 5.1.2.
User avatar
Oren
DevNet Resident
Posts: 1640
Joined: Fri Apr 07, 2006 5:13 am
Location: Israel

Post by Oren »

I've just found the hash_algos() function, so I checked it out and was happy to find sha256() on the list, but when I tried to call sha256() I got the undefined function error message. What the hell?
Toot4fun
Forum Commoner
Posts: 25
Joined: Wed Dec 10, 2003 11:44 am

Post by Toot4fun »

hash_algos() doesn't list functions, but rather algorhythms that are supported by your PHP installation. If it's listed in hash_algos(), then you can pass it as an argument to hash(). I'm doing the same thing here, so if (like me) you want to use sha256, you would call hash('sha256' 'string to hash goes here')
User avatar
Oren
DevNet Resident
Posts: 1640
Joined: Fri Apr 07, 2006 5:13 am
Location: Israel

Post by Oren »

Thanks :wink: And add the comma you forgot: hash('sha256' 'string to hash goes here') should be: hash('sha256', 'string to hash goes here')
Toot4fun
Forum Commoner
Posts: 25
Joined: Wed Dec 10, 2003 11:44 am

Post by Toot4fun »

D'oh! Good catch.
Post Reply