Page 1 of 1

Why use a hash?

Posted: Fri Feb 16, 2007 4:42 pm
by pocnib
I just started teaching myself PHP about a week ago and was suprised at how many people recommend hashing a password when using PHP. I thought that PHP was invisible to the recieving feature, ie. you cannot view the php code embedded in a website so even if you just use(pseudo code)

if($pass=='password')
/login.php
else
repeat

that will be invisible to the user. Therefore, using encryption, especially hashing algorithms, seems like a major waste of time, space, and processing power. Unless it is possible for someone to view your php script but that would mean that they also have server side access so they could view the password file as well.

Basically, to sum it all up, is there any valid reason to use hash encryption for a php site?

Posted: Fri Feb 16, 2007 5:09 pm
by kaszu
It is not because someone could see the code.

Is you are saving passwords in database or any other place (what you probably will do), then you should always hash them before saving.
If you will save passwords just as they are, then administrator will be able to see them accessing the database (or if someone steals the database), then login as any user and impersonate (is this correct?, i need dictionary :? ) him.

Few weeks ago here was very interesting article from one of the forum members about password saving, hashing, etc.
search.php

Posted: Fri Feb 16, 2007 5:20 pm
by superdezign
Impersonate is the correct spelling.

Hashing is necessary because hackers exist. The internet isn't the most secure place in the world, so it's your job to make it as secure as possible.

Posted: Fri Feb 16, 2007 5:29 pm
by Mordred
The article is still in draft (I have yet to find time to work on it further) and it discusses mainly attack scenarios on stored passwords. The reader is expected to be familiar with password hashing, so you'd better first read something on the matter, for example this:
http://phpsec.org/articles/2005/password-hashing.html

The article itself is here: viewtopic.php?t=62782

Since after reading these you'll be a first-timer with hashing, I would love to hear and discuss whatever (if anything) that you had troubles understanding - so that I may clarify what needs to be explained in more detail.

thanks

Posted: Fri Feb 16, 2007 11:24 pm
by pocnib
That helps, I am not new to hashing, I know what it is and how to beat it(it may be a one-way encryption but that doesn't mean it is infallible, getting plain text from a hash is really not that difficult depending on the methods and other features.) I understood the need for hashing in a truly secure environment such as OS passwords where the end user has hard-access to the files and folders, it just seems to me like hashing in PHP where the code is invisible would be like throwing a combination lock on the white house, sure it is more secure but it is really quite pointless. I look forward to reading the articles, however, and continuing to learn PHP

Posted: Fri Feb 16, 2007 11:30 pm
by superdezign
Is it invisible in your database? No.

Posted: Sat Feb 17, 2007 3:22 am
by Mordred
superdezign wrote:Is it invisible in your database? No.
I will add, "Is it invisible in your code?" - No!

Even if you keep the secret hardcoded in your PHP code (which is inflexible and impractical if you want more than one user) can you absolutely, 100% guarantee that it would remain invisible? I have seen many examples of this not being true.