Page 1 of 1

Changable Password SALT Script

Posted: Wed Jan 19, 2011 4:23 am
by sockpuppet
Here is a script to generate a 'random' SALT based on the username which means you don't have to store anything in your database as an additional salt.

Counts the number of Vowels in the username and then uses this to change the bit of the SALT that the username uses.

Not too system taxing, looking for ways to make it even more 'random' but still based on the username and password input.

Code: Select all

define('SESSION_SALT','a really really long string at least 3 * the max username length');

function ba_crypt($string) {
	return hash('sha512', $string);
}

function ba_password($user,$password) {

	$plen = strlen($password);
	$ulen = strlen($user);
	$uvowels = ba_count_vowels($user);
	$salt_len = strlen(SESSION_SALT);

	$salt_start = ($salt_len/2)+$uvowels;
	$salt_drift = ($salt_len/2)-($ulen-$uvowels+7);
	
	$odd_flag = $salt_start - $salt_drift;
	
	if($odd_flag % 2) {
		$salt_drift = $salt_drift * -1; 
	}

	$salt = substr(SESSION_SALT,$salt_start,$salt_drift);
	return ba_crypt($salt . $password);
}


function ba_count_vowels($string) {
      $vowels=array("a","e","i","o","u");
      $length=strlen($string);
      $count = 0;
	  $i = 0;

		for ($i = 0; $i < count($vowels); $i++){
			for($j=0; $j<$length; $j++){
				$char=strtolower(substr($string,$j,1));
				if ($char==$vowels[$i]) {
					$count++;
				}
			}
		}

      return $count;
}

Re: Changable Password SALT Script

Posted: Wed Jan 19, 2011 10:47 am
by Jonah Bron
Wouldn't it be simpler to MD5() the username?

Re: Changable Password SALT Script

Posted: Wed Jan 19, 2011 12:17 pm
by sockpuppet
More than likley. I just felt like making a salt based on vowels!

Re: Changable Password SALT Script

Posted: Wed Jan 19, 2011 12:51 pm
by Jonah Bron
Okay, well the main loop thing could be improved a bit.

Code: Select all

for ($i = 0; $i < $length; $i++) {
    if (in_array(strtolower($string[$i]), $vowels) {
        $count++;
    }
}
There, isn't that better?

Re: Changable Password SALT Script

Posted: Wed Jan 19, 2011 1:09 pm
by Benjamin
I've got a very secure authentication mechanism which uses the length of the password in conjunction with the actual password to generate the salt. It's impossible to create the salt without knowing the length of the password. If your interested let me know.

Re: Changable Password SALT Script

Posted: Wed Jan 19, 2011 1:27 pm
by sockpuppet
Thanks for the responses guys, code has been improved with your inputs.

Re: Changable Password SALT Script

Posted: Wed Jan 19, 2011 1:37 pm
by Jonah Bron
@Benjamin: again, why not just MD5 the username? But I would be interested in seeing your code.

Re: Changable Password SALT Script

Posted: Wed Jan 19, 2011 1:40 pm
by Benjamin
Jonah Bron wrote:@Benjamin: again, why not just MD5 the username? But I would be interested in seeing your code.
Because weak passwords can easily be discovered using rainbow tables when it's just a plain MD5 hash or if the salt is known. I'll post it in a new thread shortly.

Re: Changable Password SALT Script

Posted: Wed Jan 19, 2011 1:49 pm
by Jonah Bron
True, but then wouldn't creating a salt based on the length of the password be security through obscur... ohhhh, I see: because the password isn't know. Gotcha. I would really like to see the code now.