PHP 8.5.0 Beta 1 available for testing

    Voting

    : four plus three?
    (Example: nine)

    The Note You're Voting On

    paul
    16 years ago
    I believe this offers best amount of protection using a random salt, that has to be stored so it can be used later for verification.

    If no salt is given (which can be retrieved by halving the output and taking the first half), then it will generate a random salt, hash it, place it in a position relative to the length of password (between 0 and length of hash type(sha1? md5?)) within the hashed password, and then hash the complete string.

    This results in a password hash using a salt that is dynamically placed dependant on password length. The salt used is then appended to the front of the finished hash so it can be retrieved later on for verifying.

    Seeing as users will choose a typical password of between 5 and say 15 characters long, this gives them an extra 10 times the amount of dictionary attacks to try out with the hash as it could be placed in any position, because this is a random generated salt too, it means at least 10 dictionary attacks (with possiblity of upto 40) for each instance a password is created, to try and work out your sha1 encrypted password.

    If you change your password say every month, even if someone gets a look in at your file through a local exploit, the amount of time to work out your password would far outweigh the frequency at which you change it.

    Nothing is secure, but this should take them longer to work out then the time you change it. That is at least by todays technologies.

    Paul

    <?php
    function createHash($inText, $saltHash=NULL, $mode='sha1'){
    // hash the text //
    $textHash = hash($mode, $inText);
    // set where salt will appear in hash //
    $saltStart = strlen($inText);
    // if no salt given create random one //
    if($saltHash == NULL) {
    $saltHash = hash($mode, uniqid(rand(), true));
    }
    // add salt into text hash at pass length position and hash it //
    if($saltStart > 0 && $saltStart < strlen($saltHash)) {
    $textHashStart = substr($textHash,0,$saltStart);
    $textHashEnd = substr($textHash,$saltStart,strlen($saltHash));
    $outHash = hash($mode, $textHashEnd.$saltHash.$textHashStart);
    } elseif(    $saltStart > (strlen($saltHash)-1)) {
    $outHash = hash($mode, $textHash.$saltHash);
    } else {
    $outHash = hash($mode, $saltHash.$textHash);
    }
    // put salt at front of hash //
    $output = $saltHash.$outHash;
    return     $output;
    }
    ?>

    << Back to user notes page

    To Top