Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 7 of 7
  1. #1
    Regular Coder
    Join Date
    Oct 2011
    Posts
    237
    Thanks
    11
    Thanked 5 Times in 5 Posts

    Is this a good way to hash passwords?

    Hi guys how are things

    Ive recently been thinking of ways to make my passwords a little less hackable.

    Ive been thinking of using bcrypt or scrypt but in my way of thinking its not how good the hash encryption algorithm is but how you set your passwords out.

    I maybe wrong here as i have only been in this industry for 18 months.

    But i was thinking of having a salt password and pepper in sha256 which i know is not the best but still has a 256bit encryption which will slow the hacker down a few seconds lol..

    Then i was thinking of cutting the password into 20 and scrambling it.

    Like so

    PHP Code:
    $salt     hash('sha256''&^RVNH.dsf(&');
    $pepper hash('sha256' rand(1,9999) . rand('a','z') . rand(1.999));
    $passraw $salt hash('sha256'$password) . $pepper '9s8fj2ms';
    $p1 substr($passraw,0,10);
    $p2 substr($passraw,10,10);
    $p3 substr($passraw,20,10);
    $p4 substr($passraw,30,10);
    $p5 substr($passraw,40,10);
    $p6 substr($passraw,50,10);
    $p7 substr($passraw,60,10);
    $p8 substr($passraw,70,10);
    $p9 substr($passraw,80,10);
    $p10 substr($passraw,90,10);
    $p11 substr($passraw,100,10);
    $p12 substr($passraw,110,10);
    $p13 substr($passraw,120,10);
    $p14 substr($passraw,130,10);
    $p15 substr($passraw,140,10);
    $p16 substr($passraw,150,10);
    $p17 substr($passraw,160,10);
    $p18 substr($passraw,170,10);
    $p19 substr($passraw,180,10);
    $p20 substr($passraw,190,10);
        
    $passencrypt $p2 $p5 $p19 $p11 $p1 $p15 $p7 $p18 $p3 $p20 $p17 $p16 $p4 $p10 $p8 $p12 $p14 $p9 $p13 $p6
    Can someone tell me if this is worth it or am i just playing with stuff that wont make any difference?

    Thanks

    **EDIT**

    For got to mention because the pepper is random, this is stored in a different table within the database to retrieve it when login is in effect.
    Last edited by devinmaking; 01-29-2013 at 03:41 PM.

  • #2
    New Coder
    Join Date
    Dec 2012
    Location
    USA
    Posts
    82
    Thanks
    3
    Thanked 17 Times in 17 Posts
    It doesn't really matter if it's in a separate table within the same database, if a hacker has access to one table, s/he has access to all tables.

    Doing what you are doing will stump the amateur hacker, but a pattern is a pattern, regardless of how you slice and dice it.

    I won't say "this is worth it", but I also won't say this isn't worth it - Passwords are inherently and forever insecure

  • #3
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,994
    Thanks
    4
    Thanked 2,662 Times in 2,631 Posts
    IMO this is more work than you need. Sha256 would be 2^256 chance for collision, which is, well very high. I'm not a cryptographic expert by any far stretch of the imagination, but best I know sha256 has not been compromised as of yet. I wouldn't go to any effort to chop the strings up.
    The ordering isn't desirable though. You have a salt and pepper that are added after the hash, which means that all passwords start and end with the same sequence. Instead, use hash('sha256', $salt . $password . $pepper); where salt and pepper could be anything, even a single byte that add uniqueness to the password. So two users with the passwords 'apassword' don't end up with the same password within storage.
    Cutting the string up isn't all that helpful overall. If software is compromised as well, than the pattern is a standard sequence in order to reassemble it. Since you cannot randomize it, you would either need to do pattern reassembly for it based on offset sequence, or you would need to calculate reassignment based on values. The latter is pretty much what the hashing algorithms are doing anyways.
    BTW, if you want to split that up, create an array instead using str_split instead.
    PHP Code:
    header('HTTP/1.1 420 Enhance Your Calm'); 
    Been gone for a few months, and haven't programmed in that long of a time. Meh, I'll wing it ;)

  • #4
    Regular Coder
    Join Date
    Oct 2011
    Posts
    237
    Thanks
    11
    Thanked 5 Times in 5 Posts
    Quote Originally Posted by TFlan View Post
    It doesn't really matter if it's in a separate table within the same database, if a hacker has access to one table, s/he has access to all tables.

    Doing what you are doing will stump the amateur hacker, but a pattern is a pattern, regardless of how you slice and dice it.

    I won't say "this is worth it", but I also won't say this isn't worth it - Passwords are inherently and forever insecure
    so how do the big boys do this, For instance you never hear Google or high end banks getting hacked.

    So how would they do this.

    I know scrypt is meant to be the best but just because its the best now doesnt mean it will be in 12 months.

    For instance everyone thought sha was the best then hackers cracked it.

  • #5
    Regular Coder
    Join Date
    Oct 2011
    Posts
    237
    Thanks
    11
    Thanked 5 Times in 5 Posts
    Quote Originally Posted by Fou-Lu View Post
    IMO this is more work than you need. Sha256 would be 2^256 chance for collision, which is, well very high. I'm not a cryptographic expert by any far stretch of the imagination, but best I know sha256 has not been compromised as of yet. I wouldn't go to any effort to chop the strings up.
    The ordering isn't desirable though. You have a salt and pepper that are added after the hash, which means that all passwords start and end with the same sequence. Instead, use hash('sha256', $salt . $password . $pepper); where salt and pepper could be anything, even a single byte that add uniqueness to the password. So two users with the passwords 'apassword' don't end up with the same password within storage.
    Cutting the string up isn't all that helpful overall. If software is compromised as well, than the pattern is a standard sequence in order to reassemble it. Since you cannot randomize it, you would either need to do pattern reassembly for it based on offset sequence, or you would need to calculate reassignment based on values. The latter is pretty much what the hashing algorithms are doing anyways.
    BTW, if you want to split that up, create an array instead using str_split instead.
    Thanks for the advice

  • #6
    New Coder
    Join Date
    Dec 2012
    Location
    USA
    Posts
    82
    Thanks
    3
    Thanked 17 Times in 17 Posts
    Secure passwords are not the end-all-be-all. You also need a secure database.

    People/Businesses that get hacked are hacked because of other security weaknesses. Such as SQL injection, XSS, CSRF, session hijacking, whatever.

    These weaknesses give hackers the open doorway into your database where they can download your users table and then run the cracking script on your hashes.

    To secure your passwords, secure your database. Plug those holes. You're approaching the problem as if someone already has access to your database

  • #7
    Senior Coder
    Join Date
    Feb 2011
    Location
    Your Monitor
    Posts
    4,341
    Thanks
    60
    Thanked 527 Times in 514 Posts
    Blog Entries
    4
    Quote Originally Posted by devinmaking View Post
    so how do the big boys do this, For instance you never hear Google or high end banks getting hacked.
    They spend mega-bucks on having full time staff monitoring their systems, having the best in the field working for them, employing slightly more staff than they actually need across multiple sites and generally having more human brain power than the one or three man hacking team.
    See my new CodingForums Blog: http://www.codingforums.com/blogs/tangoforce/

    Many useful explanations and tips including: Cannot modify headers - already sent, The IE if (isset($_POST['submit'])) bug explained, unexpected T_CONSTANT_ENCAPSED_STRING, debugging tips and much more!


  •  

    Tags for this Thread

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •