Page 1 of 1
Secure Login Script (md5 & sha1)
Posted: Sat Dec 02, 2006 3:01 pm
by Toot4fun
I'm looking to create a secure login script that will use hashing to store/verify the user's password. Based on what I've read, I have a few questions that I'd like verified:
1.) sha256 > sha1 > md5. Correct?
2.) The sha1 algorhythm has been compromised. True?
3.) Let's assume that I use sha1 to hash all my passwords. If, down the road, I wish to change what I use to hash the passwords, is this possible if I can't rehash the original password?
I'm relatively new to implementing security features such as these, so any help on the above quesitons or anything related to secure logon scripts would be greatly appreciated.
Thank you!
Brian
Posted: Sat Dec 02, 2006 3:06 pm
by feyd
- yes
- Weakened, but still relatively strong.
- yes. You can either tag all previous entries with a some marker that tells you they are an "old hash" so you can compare using the older algorithm, then update the record to the "new hash" (because you'll likely have the raw password handy) once verified.
Posted: Sat Dec 02, 2006 6:50 pm
by Toot4fun
Great tip on #3 - I really like that idea!
I'm running PHP 4.4.4 - is sha256 supported yet? If so, how is it implemented?
Thanks again!
Posted: Sat Dec 02, 2006 6:52 pm
by feyd
SHA256 is supported (via a script) in many versions of PHP 4. Take a look at my SHA256 class in Code Snippets.
Posted: Sat Dec 02, 2006 11:36 pm
by DaveTheAve
Thanks Feyd, your SHA256 is now implemented in my first Zend Framework project.
Posted: Sun Dec 03, 2006 1:28 am
by RobertGonzalez
PHP 51.2 has built in hashing. I use the
hash() function in many situations.
This is more of an FYI for other readers as I know your version is lower than 5.1.2.
Posted: Sun Dec 03, 2006 11:09 am
by Oren
I've just found the
hash_algos() function, so I checked it out and was happy to find sha256() on the list, but when I tried to call sha256() I got the undefined function error message. What the hell?
Posted: Sun Dec 03, 2006 11:15 am
by Toot4fun
hash_algos() doesn't list functions, but rather algorhythms that are supported by your PHP installation. If it's listed in hash_algos(), then you can pass it as an argument to hash(). I'm doing the same thing here, so if (like me) you want to use sha256, you would call hash('sha256' 'string to hash goes here')
Posted: Sun Dec 03, 2006 11:19 am
by Oren
Thanks

And add the comma you forgot:
hash('sha256' 'string to hash goes here') should be:
hash('sha256', 'string to hash goes here')
Posted: Sun Dec 03, 2006 11:22 am
by Toot4fun
D'oh! Good catch.