i'm sorry for the bad use of English... I'm having a problem with making a function that hashes my password with a salt(first time using a salt).
The problem is that I don't know how to really return the salted/hashed password from the function.
My code:
# Password hashing with a salt.
function hashing($stringPassword)
{
// Making a random uniq code as salt.
$salt = uniqid(mt_rand(), true);
$HASH512 = hash('SHA512', $stringPassword);
$hashPassword = $salt.$HASH512;
return $stringPassword;
}
And how I tried to test it:
<?php
$stringPassword = '482301';
hashing($stringPassword);
echo $hashPassword;
?>
Thank you for helping!
Your code is backwards. The salt has to be part of the password BEFORE you hash it. and then you need to return the hashed password AND the salt, so that you can do proper comparisons later.
function hashing($cleartext) {
$salt = uniqid(mt_rand(), true);
$hash512 = hash('SHA512', $salt . $cleartext);
return(array('hash' => $hash512, 'salt' => $salt));
}
$foo = hashing('letmein');
echo "Salt is: $foo[salt]";
Since you are hashing passwords, you should be aware that the SHA* algorithms are not appropriate to hash passwords. They are much too fast, instead you need a function with a cost factor like BCrypt or PBKDF2 where you can control the necessary time for the calculation.
PHP offers a dedicated function password_hash() to generate BCrypt hashes, for earlier PHP versions you can use the compatibility pack:
// Hash a new password for storing in the database.
// The function automatically generates a cryptographically safe salt.
$hashToStoreInDb = password_hash($password, PASSWORD_BCRYPT);
// Check if the hash of the entered login password, matches the stored hash.
// The salt and the cost factor will be extracted from $existingHashFromDb.
$isPasswordCorrect = password_verify($password, $existingHashFromDb);
Related
public function beforeSave(){
$salt = "Acrec_$";
$hashed = hash('sha512', $salt . $this->password);
$this->password = $hashed;
}
I'm using a custom Salt and custom hash to encrypt the users password, but, now i need to log-in the users.
the Code inside loginAction();
$this->auth->check([
'email' => $this->request->getPost('email'),
'password' => $this->request->getPost('password'),
'remember' => $this->request->getPost('remember')
]);
In phalcon just use:
$password = $this->request->getPost('password');
$user->password = $this->security->hash($password);
And
$password = $this->request->getPost('password');
$user = Users::findFirst();
if ($this->security->checkHash($password, $user->password)) {
// any logic here
}
By default it's using bcrypt which has salts built-in.
With PHP use password_hash and password_verify, the pair are secure and easy to use.
When saving a password verifier just using a hash function is not sufficient and just adding a salt does little to improve the security. Instead iterate over an HMAC with a random salt for about a 100ms duration and save the salt with the hash. Better yet use a function such as PBKDF2, Rfc2898DeriveBytes, password_hash, Bcrypt, passlib.hash or similar functions. The point is to make the attacker spend a substantial of time finding passwords by brute force.
I have problem with password hashing. This is my controller
public function registerUser() {
$valid = Validator::make(Input::all(), array(
'pass' => 'required|min:5',
'pass2' => 'required|same:pass'
));
if($valid->fails()) {
return Redirect::route('register')->withErrors($valid)->withInput();
}
// $password = Input::get('pass');
if(Input::hasFile('photo')) {
$img = Input::file('photo');
if($img->isValid()) {
echo Hash::make(Input::get('pass'));
}else{
return Redirect::route('register')->withInput()->with('errorimg','image-error');
}
}else{
echo Hash::make(Input::get('pass'));
}
//return Redirect::route('register')->with('success','register-success');
}
Everytime I refresh my browser, the hashed pass is always change.
ex : if I put "qwerty" as pass, it should show
$2y$10$PPgHGUmdHFl.fgF39.thDe7qbLxct5sZkJCH9mHNx1yivMTq8P/zi
Generating a different hash every time is on purpose, because the Hash::make() method will generate a random salt. A random salt is necessary to securely protect the user's passwords.
To check an entered password against the stored hash, you can use the method Hash::check(), it will extract the used salt from the hash-value and uses it to generate comparable hashes.
// Hash a new password for storing in the database.
// The function automatically generates a cryptographically safe salt.
$hashToStoreInDb = Hash::make($password);
// Check if the hash of the entered login password, matches the stored hash.
// The salt and the cost factor will be extracted from $existingHashFromDb.
$isPasswordCorrect = Hash::check($password, $existingHashFromDb);
That's because if you don't give a salt bcrypt creates one every time it hashes something.
Source
I realize this is not as secure as it could be, but I want to do it this way.
I have this code which generates the password from a user's entry ($password)...
$salt = mcrypt_create_iv(22, MCRYPT_DEV_URANDOM);
$new_password = md5($salt . $password);
$new_password = $salt . $new_password;
This is how I'm trying to check against the saved password:
$split_salt = substr($saved_password, 0, 22);
$incomplete_password = md5($split_salt . $current_password);
$hashed_password = $split_salt . $incomplete_password;
if ($saved_password != $hashed_password) {
$error = "error";
} else {
//Validated
}
As far as I can tell this should work. However, I'm getting the error instead of the validation. Does this have something to do with MCRYPT not producing exactly 22 characters?
I know this is not what you want to hear, but your scheme is so utterly unsafe and a good solution is so simple to implement, that you should reconsider:
// Hash a new password for storing in the database.
// The function automatically generates a cryptographically safe salt.
$hashToStoreInDb = password_hash($password, PASSWORD_DEFAULT);
// Check if the hash of the entered login password, matches the stored hash.
// The salt and the cost factor will be extracted from $existingHashFromDb.
$isPasswordCorrect = password_verify($password, $existingHashFromDb);
Your actual problem is the salt, mcrypt_create_iv() will return a binary string and it can very well contain \0 characters. So it is pure luck if your approach works or not.
I want my login password to be secured. So I came up to use the PHP's crypt() function to hash the password before inserting it to database. But Im having trouble when comparing the user input password from the converted hash password. Here's my code:
<?php
$password = 'hello_password';
# A higher "cost" is more secure
$cost = 10;
# Create a random salt
$salt = strtr(base64_encode(mcrypt_create_iv(16, MCRYPT_DEV_URANDOM)), '+', '.');
# Blowfish algorithm.
$salt = sprintf("$2a$%02d$", $cost) . $salt;
$salted_password = $password . $salt; // apply salt to password
# hash the password
$hash_password = hash('sha256', $salted_password);
$userInput = 'hello_password'; // suppose this is the user input password
if (hash('sha256',$userInput) == $password) {
echo "Password Verified.";
}
else {
echo "Incorrect Password";
}
?>
But it always displays Incorrect Password although my password is correct. I don't want to use "hash_equals" function as it is not supported with my current PHP version. Can someone help me with this ? Thanks
You're comparing a hashed user input to the actual user password. So of course this is never going to work.
You're basically asking if hash == 'hello_password'. A hash will never match that, that is the whole point of a hash. You also aren't using the salt with the user input.
You hash the actual password with a salt which is fine:
$salted_password = $password . $salt; // apply salt to password
# hash the password
$hash_password = hash('sha256', $salted_password);
So you need to hash the user input with the salt, the same way:
$salted_input = $userInput . $salt; // apply salt to user input
# hash the input
$hash_input = hash('sha256', $salted_input);
Then you can compare $hash_input with $hash_password.
You also aren't using a salt properly. The salt is supposed to be used in the storage of the password to prevent rainbow table attacks. Randomly generating a salt to apply to both the input and the password at the time of comparison is pointless.
I have been trying to learn about hashes and salts stored in a users table withing a mysql DB. I get through with storing them but can't seem to wrap my head around how to validate when the user logs in.
I have looked through and seen about storing the salt and hash seperately and together. The salt that I am producing is random.
Any ideas?
I have posted my code.
<?php
$password = 'passwordwhatever';
//generate the salt
function gen_salt() {
$salt = uniqid(mt_rand(), true) . sha1(uniqid(mt_rand(), true));
$salt = crypt('sha512', $salt);
return $salt;
}
//generate the hash
function gen_hash($salt, $password) {
$hash = $salt . $password;
for($i = 0; $i < 100000; $i++) {
$hash = crypt('sha512', $hash);
}
$hash = $salt . $hash;
return $hash;
}
$password = gen_hash(gen_salt(), $password);
echo $password;
?>
As long as you produce the same salt, it shouldn't matter too much. Store it in your db, in configuration, as long as you can get to it. The effort of reversing a SHA512 hash is so high that unless you're the Pentagon, nobody will bother. The point is that you want to be able to repeat the hash with the same salt so you can be very sure that the input was the same without having to store the sensitive input. If that makes sense.
The salt is going to need to be contained somewhere within the database (or somewhere). Some options are to append the salt to the hash or stored as its own field. I like appending it to the hash.
$password = $salt . '.' . $hash;
Then when the user goes to login, you grab his password, break it into the hash and the salt, and use your password generation function (with the salt from the password instead of a random salt) to determine if it matches the password in the db.
list($salt,$hash) = explode('.', $password);
$check = gen_hash($salt, $input_pass);
if ($check === $password)
// valid
Maybe you should take a look on bcrypt. This might help you. I wrote some tutorials but they are in german. Oh and PHP 5.3 support bcrypt natively.