I decided to drop md5() as the password-encrypting algorithm when storing user passwords in DB, in favor of phpass library.
On the systems using md5, it was no problem to have a Production/Development dyad, as the resulting hash was the same. So, in case I created a test user in either one of them, the same password worked in the other environment.
From what I gather, this is not the same for other types of hashing algorithms, as phpass (or its internal php functions) creates platform-dependent hashes (I'm a hashing/encryption novice).
My question is, how should one approach this situation? Different database in prod/dev? But what if "upstairs" decided that we should move our web application (along with its DB) to another server - wouldn't the hashed passwords be now invalid - as phpass would create different hashes for the same (old) passwords?
Later edit:
Well, I didn't bother to check a dev hash to a production one. Even though they're different, their comparison results in "true", as in "they're quivalent". I thought, if hashes are different, they don't match (like md5).
A very simple solution to your problem: Always use the latest stable version of PHP. As of 5.3 PHP provides native implementations of crypt algorithms and thus isn't platform dependent anymore. Your hashes should thus be compatible.
Is there a particular reason why you decided to use the phpass library? You didn't elaborate on that point, but if you were simply looking for a more secure algorithm than MD5, take a look at hash() coupled with an algorithm like sha512.
Tiger algorithms in PHP
The Tiger192,4 algorithm is often recommended for hashing, however I've just discovered you can get different hash values on different machines.
Impossible! (you say)
Well it turns out PHP <5.4 implements Tiger with LSB first, while PHP 5.4+ implements Tiger with MSB first. Which is correct? I can't say (LSB matches testtiger while MSB matches the wikipedia examples) but the point is... don't use Tiger if hashes need to be portable or survive a PHP upgrade (a PHP 5.3->5.4 will break a Tiger hashed password table, which has significant maintainability implications).
To test...
echo hash("tiger192,3","The quick brown fox jumps over the lazy cog")."\n".
hash("tiger192,3","");
MSB: (PHP 5.4.5)
a8f04b0f7201a0d728101c9d26525b31764a3493fcd8458f
3293ac630c13f0245f92bbb1766e16167a4e58492dde73f3
LSB: (PHP 5.3.2)
d7a001720f4bf0a8315b52269d1c10288f45d8fc93344a76
24f0130c63ac933216166e76b1bb925ff373de2d49584e7a
(My solution? Use a different algorithm, and embed a known hash test in the unit test code)
Related
I am looking at implementing key generation from a password using PBKDF2. Since PHP 5.5, there is the function http://www.php.net/manual/en/function.hash-pbkdf2.php, but my server is running on PHP 5.3. After a quick search on the web, I found this custom implementation in PHP: https://gist.github.com/rsky/5104756 My question to someone more experienced in the field is if it is considered safe?
If it compiles to correct test vectors then I would not worry overmuch on security for key derivation functions.
You may have to worry about side channel attacks if you are on a machine that also provides access to other users. In that case you probably have to worry about side channel attacks on the hash algorithm; normally it's tricky to perform time based attacks on symmetric algorithms on a fast CPU though (unprotected RSA is much easier).
It is important that salt values are large enough and do not repeat, so check the secure random number implementation on the system.
Note that there are multiple levels of "safe". Without exact details of the system, use case, thread models etc. nobody could or should give you more than a generic answer.
I want to create a membership site so i want to make the passwords as safe as possible. I can see from reading sites including this one the md5, sh1 encryption are a serious no no. I've seen some other things like bcript, scrypt, sha256, sha512 and PBKDF2. I have found some php scripts implementing these but not really found anything of note to do with the database.
Do i have to create a row containing the salt?
Verifying the password do i have to do something like hash(salt+password) = $hash?
Because i'm not the most experienced at passwords i'm not really sure of the best practices, how when you hash the password + salt what happens then, how the passwords are retrieved...
I think because i dont really understand the logic behind it i'm feeling a little confused about how to go about it.
If you use Bcrypt, Scrypt, or PBKDF2, the salt is part of the hash you get, so no, you don't have to worry about storing it separately. Otherwise (SHA-*), yes — but you shouldn't use those anyways. Bcrypt, Scrypt, and PBKDF2 are actual password-hashing functions.
I'd recommend Bcrypt, since you tagged this php. It's built-in. Scrypt isn't.
A common best practise (see e.g. Linux passwd) is to store the password hashes as
$<algorithm>$<salt>$<hash>
for example this string:
$6$Lxgyf7h6DtkrqwT$0w/BoB6neYjEtdQdUEs3ftnnNguBNTug8.g/9UeMmZ9bN/cDJCE0dj8.4D/8HPN5bMqFPJ4ECnGl5M2iqBmmv/
is a salted SHA-512 (algorithm id 6) password hash salted with Lxgyf7h6DtkrqwT that should be understood by most servers out of the box.
The benefit of this is that you can actually support different algorithms at the same time. So some users may still have e.g. SHA-256 passwords, while for any user changing his password you switch to a more secure algorithm.
A good starting point to read about modular hashing schemes, read this article in Wikipedia on the crypt (Unix) function. The hype around bcrypt (and the misinformation that crypt would equal DES hashing) is indicative of a certain naiveness of PHP developers with respect to password security. bcrypt is not bad (well, it relies on computational complexity instead of stronger algorithms AFAIK, but it certainly seems to beat MD5). But I would advise using something like this scheme which is A) portable, and B) extensible, so that you can at any time smoothly transition to stronger password hashes.
In 99% of programming languages (including PHP), this functionality is available out of the box via the crypt function, by choosing an appropriate salt, starting with $6$ and the appropriate length of salt characters.
And to clean up some of the misinformation systematically spread by bcrypt advocates: this is not using just one round of sha-512, but the default apparently (see http://www.akkadia.org/drepper/sha-crypt.html ) is 5000 rounds of SHA-512. And you can choose to increase the number. So for my understanding the "but bcrypt can be scaled up when needed" claim also holds for crypt-SHA512. In contrast to bcrypt, this should be available on any Linux system using glibc 2.7 onward. bcrypt is an extension only available on some distributions or with some extensions. On Debian and probably Ubuntu you apparently need to install the extension
libpam-unix2 - Blowfish-capable PAM module
I was wondering if there is a python cognate to PHP's crypt() function that performs in a similar way, generating a random salt and embedding it within the saved string.
I have a table of hashed passwords that were created using the $5$ string key to setup a SHA256 based salted cryptogram. These hashes had some additional recorded entropy attached to both ends at a fixed interval, but splitting these characters off the string and getting the core hash is trivial and not a problem at all.
I've looked at the python documentation and can't find any methods in hashlib that seem to utilize the same syntax from php's crypt(). Is the approach utilized in PHP (the input format split with dollar signs between salt, algo and rounds) unique to the language?
Thanks.
EDIT:
It looks as though the revised version of python's own native crypt function is going to utilize procedures similar to that of PHP. From the 3.3 pre-release documentation:
http://docs.python.org/dev/library/crypt.html
EDIT:
Finally found Passlib, a library that provides this functionality in pure python.
http://packages.python.org/passlib/index.html
I realize that this question is old, however I found it while I was trying to implement a login algorithm in Python that was originally written in PHP. The crypt function in PHP uses any of a handful of somewhat insecure DES algorithms, including bcrypt. It depends on what you hash your string with. Passlib is pretty much your best bet for replicating the functionality your application is currently getting from PHP crypt. Take one of your hashed passwords, and look at the front of the string. You should see something like $2a$, $3$, $6$ (or similar). Note that if this string does not exist, you are more than likely using standard DES hashing.
Take that info to this link:
http://pythonhosted.org/passlib/modular_crypt_format.html#mcf-identifiers
Then, match it up to the algorithm you need to implement in Python. The Scheme identifiers are links to the passlib documentation regarding that hashing algorithm. At this point, you should have all the info you need to complete your reimplementation.
It certainly looks very similar to FreeBSD's crypt (see "modular crypt" in the manpage). I don't really recall if it's the same way in Linux or other but this seems to indicate it's not unique.
There's no direct equivalent in Python as far as I know, but it shouldn't be too hard to roll your own since the encryption algorithms themselves should be supported in hashlib.
I am working on a script and need to save passwords. For development purposes, I have been using the crypt() function because it was easy and available. Now that I am mostly done, I want to replace it with something a little better and more consistent.
Some of the concerns I have are:
not all algorithms are supported on every system
sometimes the salt is pre-pended to the result (seems like a security problem)
I want something that works with PHP 4.3+.
Is there anything available, or should I stick with crypt()? I thought about using md5(md5($password).$salt). Thanks for the insight.
There is nothing wrong with crypt
If your server does not support it, use another server.
You should NEVER use MD5 for hashing passwords (or even SHA1 for that matter)
Use either bcrypt (the blowfish method of crypt) or pbkdf2
There is an implementation of pbkdf2 here:
Encrypting Passwords with PHP for Storage Using the RSA PBKDF2 Standard
More information on why and how here:
Which password hashing method should I use?
Do any security experts recommend bcrypt for password storage?
First of all: Prepending the salt is not a security problem. Having a per-password salt is a big goodie, and it's perfectly OK to it being store alongside the pw.
Now: As long as you don't transport password hashes from one system to another, and the latter not supporting the default algorithm of the first, nothing bad will happen by definition. Since PHP 5.3 there are built-in algorithms in PHP such as Blowfish, that are guaranteed to be available.
I am migrating my PHP code to Google App Engine - Java.
Since I couldn't find an equivalent function of crypt in Java,
I can do without it if I find an equivalent function in actionscript.
Edit 1: Here is my php code for encrypting passwords :
$password = "test123";
$pwd = crypt($password,$password);
echo $pwd;
Output is (On Windows as well as a linux based server on HostMonser):
temjCCsjBECmU
as3crypto might be of help. It provides DES, and together with Base64, you should be able to recreate PHP's crypt function. OTOH, unless you really need the exact same behaviour, you might just as well take anything else the library offers.
greetz
back2dos
Don't think you'll find an exact analog. crypt() as exists in PHP is an artifact of its Unix heritage, and is usually just a wrapper around the base C library. It won't even behave identically between operating systems.
What you should do is define your password hashing practice clearly (e.g. SHA256 with 8 bytes of salt or something), and run it through a library providing the appropriate algorithm.
Google for com.adobe.crypto (pretty sure it's part of the as3corelib project), it has several cryptographic hash functions.
You can accomplish this same thing in Java as well (and probably better and faster), though I don't know any particular libraries off the top of my head, not having dealt much with Java.
Incidentally, you should probably read through these articles before going much further:
http://en.wikipedia.org/wiki/Cryptographic_hash_function
http://en.wikipedia.org/wiki/Crypt_(Unix)
http://en.wikipedia.org/wiki/Salt_(cryptography)