Changable Password SALT Script

Coding Critique is the place to post source code for peer review by other members of DevNetwork. Any kind of code can be posted. Code posted does not have to be limited to PHP. All members are invited to contribute constructive criticism with the goal of improving the code. Posted code should include some background information about it and what areas you specifically would like help with.

Popular code excerpts may be moved to "Code Snippets" by the moderators.

Moderator: General Moderators

Post Reply
sockpuppet
Forum Newbie
Posts: 22
Joined: Tue Jan 18, 2011 8:38 am

Changable Password SALT Script

Post by sockpuppet »

Here is a script to generate a 'random' SALT based on the username which means you don't have to store anything in your database as an additional salt.

Counts the number of Vowels in the username and then uses this to change the bit of the SALT that the username uses.

Not too system taxing, looking for ways to make it even more 'random' but still based on the username and password input.

Code: Select all

define('SESSION_SALT','a really really long string at least 3 * the max username length');

function ba_crypt($string) {
	return hash('sha512', $string);
}

function ba_password($user,$password) {

	$plen = strlen($password);
	$ulen = strlen($user);
	$uvowels = ba_count_vowels($user);
	$salt_len = strlen(SESSION_SALT);

	$salt_start = ($salt_len/2)+$uvowels;
	$salt_drift = ($salt_len/2)-($ulen-$uvowels+7);
	
	$odd_flag = $salt_start - $salt_drift;
	
	if($odd_flag % 2) {
		$salt_drift = $salt_drift * -1; 
	}

	$salt = substr(SESSION_SALT,$salt_start,$salt_drift);
	return ba_crypt($salt . $password);
}


function ba_count_vowels($string) {
      $vowels=array("a","e","i","o","u");
      $length=strlen($string);
      $count = 0;
	  $i = 0;

		for ($i = 0; $i < count($vowels); $i++){
			for($j=0; $j<$length; $j++){
				$char=strtolower(substr($string,$j,1));
				if ($char==$vowels[$i]) {
					$count++;
				}
			}
		}

      return $count;
}
User avatar
Jonah Bron
DevNet Master
Posts: 2764
Joined: Thu Mar 15, 2007 6:28 pm
Location: Redding, California

Re: Changable Password SALT Script

Post by Jonah Bron »

Wouldn't it be simpler to MD5() the username?
sockpuppet
Forum Newbie
Posts: 22
Joined: Tue Jan 18, 2011 8:38 am

Re: Changable Password SALT Script

Post by sockpuppet »

More than likley. I just felt like making a salt based on vowels!
User avatar
Jonah Bron
DevNet Master
Posts: 2764
Joined: Thu Mar 15, 2007 6:28 pm
Location: Redding, California

Re: Changable Password SALT Script

Post by Jonah Bron »

Okay, well the main loop thing could be improved a bit.

Code: Select all

for ($i = 0; $i < $length; $i++) {
    if (in_array(strtolower($string[$i]), $vowels) {
        $count++;
    }
}
There, isn't that better?
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Re: Changable Password SALT Script

Post by Benjamin »

I've got a very secure authentication mechanism which uses the length of the password in conjunction with the actual password to generate the salt. It's impossible to create the salt without knowing the length of the password. If your interested let me know.
sockpuppet
Forum Newbie
Posts: 22
Joined: Tue Jan 18, 2011 8:38 am

Re: Changable Password SALT Script

Post by sockpuppet »

Thanks for the responses guys, code has been improved with your inputs.
User avatar
Jonah Bron
DevNet Master
Posts: 2764
Joined: Thu Mar 15, 2007 6:28 pm
Location: Redding, California

Re: Changable Password SALT Script

Post by Jonah Bron »

@Benjamin: again, why not just MD5 the username? But I would be interested in seeing your code.
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Re: Changable Password SALT Script

Post by Benjamin »

Jonah Bron wrote:@Benjamin: again, why not just MD5 the username? But I would be interested in seeing your code.
Because weak passwords can easily be discovered using rainbow tables when it's just a plain MD5 hash or if the salt is known. I'll post it in a new thread shortly.
User avatar
Jonah Bron
DevNet Master
Posts: 2764
Joined: Thu Mar 15, 2007 6:28 pm
Location: Redding, California

Re: Changable Password SALT Script

Post by Jonah Bron »

True, but then wouldn't creating a salt based on the length of the password be security through obscur... ohhhh, I see: because the password isn't know. Gotcha. I would really like to see the code now.
Post Reply