Crypt or MD5?

Craig321

Craig321

Craig321

Soldato
Joined
2 May 2004
Posts
19,950
Just wondered what's more uncrackable?

crypt("password")

or

md5("password")

Or is there anything else even more secure that can be used to e.g. store user password in a database?

EDIT

To me it seems like crypt() is more secure as the generate string is random each time.

Craig.
 
Last edited:
Bah, PHP 4.3.0... my PHP is running on 4.1.1 atm >.<

Suppose I'll update.

EDIT

Been using PHPTriad on my Windows server... but that's discontinued :(

Can anyone suggest me a installer package that'll install Apache, MySQL & PHP for Windows please?
 
Last edited:
Thanks very much, looks perfect.

Will I need to be changing any of my coding 'styles' to move onto PHP 5?

Example of my coding 'style':

Code: 
<?php
include "includes/config.php";

$sql = "SELECT column1, column2, column3 FROM table";
$result = mysql_query($sql);

echo '
        <table>
          <tr>
            <td>Column 1</td>
            <td>Column 2</td>
            <td>Column 3</td>
          </tr>';

while($row = mysql_fetch_array($result))
{
  $1 = $row['column1'];
  $2 = $row['column2'];
  $3 = $row['column3'];

  echo '
          <tr>
            <td>'.$1.'</td>
            <td>'.$2.'</td>
            <td>'.$3.'</td>
          </tr>';
}

echo '  </table>';

?>

I'm not sure if that's a good example as I'm not sure what has changed in v5.

Thanks,
Craig
 
Craig321 said:
Thanks very much, looks perfect.

Will I need to be changing any of my coding 'styles' to move onto PHP 5?

Example of my coding 'style':

Code: 
<?php
include "includes/config.php";

$sql = "SELECT column1, column2, column3 FROM table";
$result = mysql_query($sql);

echo '
        <table>
          <tr>
            <td>Column 1</td>
            <td>Column 2</td>
            <td>Column 3</td>
          </tr>';

while($row = mysql_fetch_array($result))
{
  $1 = $row['column1'];
  $2 = $row['column2'];
  $3 = $row['column3'];

  echo '
          <tr>
            <td>'.$1.'</td>
            <td>'.$2.'</td>
            <td>'.$3.'</td>
          </tr>';
}

echo '  </table>';

?>

I'm not sure if that's a good example as I'm not sure what has changed in v5.

Thanks,
Craig
Click to expand...

That'll run fine on PHP 5.

If you're not using any special functions or classes, I wouldn't worry about it.
 
PHP5 adds a lot of things, but almost all of it is backwards compatible, so 99.99% of PHP4 code works flawlessly on PHP5 without modification :)
 
robmiller said:
PHP5 adds a lot of things, but almost all of it is backwards compatible, so 99.99% of PHP4 code works flawlessly on PHP5 without modification :)
Click to expand...

Okay, thanks Robbo :)

Also, I got SHA1("string"); working with my updated PHP but I'm not sure what you meant by "with a randomly generated, user-specific salt."?

There's not much of an explanation on sha1 on php.net >.<

EDIT

Got and example off one of the comments and I guess this is what you meant?:

Code: 
<?php

$string = $_POST['string'];

$salt = pack("CCCC", mt_rand(), mt_rand(), mt_rand(), mt_rand());
$hash = base64_encode(pack("H*", sha1($string . $salt)) . $salt);

echo $hash;

?>

Thanks,
Craig.
 
Last edited:
Craig321 said:
Just wondered what's more uncrackable?

crypt("password")

or

md5("password")

Or is there anything else even more secure that can be used to e.g. store user password in a database?

EDIT

To me it seems like crypt() is more secure as the generate string is random each time.

Craig.
Click to expand...

If someone is able to execute querys aghainst your username/password table to access the encrypted content then the strength of the encryption is the least of your worries....
 
Visage said:
If someone is able to execute querys aghainst your username/password table to access the encrypted content then the strength of the encryption is the least of your worries....
Click to expand...

They don't have to have access to the database―almost every site includes a password hash in a cookie to remember someone's logon, and it's not improbable for someone's cookies to get stolen.

Hashing the password with a salt is just extending a courtesy to the user; they might have their account for that site stolen if an attacker accesses their cookies/the database, but even if they use the same password everywhere they won't get their plaintext password stolen.
 
Thanks :)

Couldn't I just do this rather than having the whole extra salt column?:

Code: 
<?php
$string = $_POST['string'];

$salt = pack("CCCC", mt_rand(), mt_rand(), mt_rand(), mt_rand());
$hash = base64_encode(pack("H*", sha1($string . $salt)) . $salt);

echo $hash;

//From here I can post the $hash into the users password column... 
?>



EDIT--

Ah, just noticed that on the page you linked me to it says you need the salt column to verify the users details when they log-in.

Thanks :)
Craig

EDIT

Just came up with this, is this all correct? It all seems to work when echoing out the results, but is it actually correct?:

Code: 
<?php
include "includes/config.php";

define('SALT_LENGTH', 8);

$username = $_POST['username'];
$userPassword = $_POST['password'];

$salt = substr(sha1(uniqid(rand(), true)), 0, SALT_LENGTH);

$prepend = $salt . $userPassword;

$hashed = sha1($prepend);

$sql = "INSERT INTO users (username, salt, password) VALUES ('$username', '$salt', '$hashed')";

if(mysql_query($sql))
{
	echo 'Thanks for signing up!';
}
else
{
	echo 'Error!<br>' . mysql_error();
}
?>

Thanks,
Craig.
 
Last edited:
Right, I've just written this system (it's unsecure right now - haven't done form safety, SQL safety yet etc.) it's not finished, but it uses a random salt with sha1.

process_signup.php - I haven't added all the security checks and stuff yet (please point out any I might forget though! :)) - mainly look at the way I've stored/uses passwords please.

Code: 
<?php
include "includes/config.php";

define('SALT_LENGTH', 8);

$username = strip_tags($_POST['username']);
$userPassword = strip_tags($_POST['password']);

$salt = substr(sha1(uniqid(rand(), true)), 0, SALT_LENGTH);

$prepend = $salt . $userPassword;

$hashed = sha1($prepend);

$sql = "INSERT INTO users (username, salt, password) VALUES ('$username', '$salt', '$hashed')";

if(mysql_query($sql))
{
	echo 'Thanks for signing up!';
}
else
{
	echo 'Error!<br>' . mysql_error();
}
?>



This one also submits from a form.. same as above - process_login.php:

Code: 
<?php
include "includes/config.php";

$username = strip_tags($_POST['usernameLogin']);
$userPassword = strip_tags($_POST['passwordLogin']);

$sql = sprintf("SELECT salt FROM users WHERE username = %s", quote_smart($username));
$result = mysql_query($sql);
$row = mysql_fetch_array($result);

$salt = $row['salt'];

$dbpassword = sha1($salt . $userPassword);

$sql2 = sprintf("SELECT * FROM users WHERE password = %s", quote_smart($dbpassword));
$result2 = mysql_query($sql2);

if(mysql_num_rows($result2)<1)
{
	echo 'Invalid username/password<br>' . mysql_error();
}
else
{
	echo 'Welcome back ' . $username;
}
?>


Ignoring the obvious security holes and concentrating just on the way I have handled the password - is this code fine?

Thanks,
Craig.
 
Last edited:
The second query doesn't care whose password is matched. You're probably more likely to be killed by a tea cosy (QI ;)), but still. :)
 
Craig321 said:
Code: 
$userPassword = strip_tags($_POST['password']);
Click to expand...

Don't chuck the password through strip_tags as a) it will mean (for example) that the password "<b>password" would be the same as "password" and b) it's going to be hashed anyway so you know it's going to be an alphanumeric string that will be safe to print to a page or insert into a database.
 
Berserker said:
The second query doesn't care whose password is matched. You're probably more likely to be killed by a tea cosy (QI ;)), but still. :)
Click to expand...

Ah, oops :p

Guess I should authenticate the username as well :p

I guess this is what you mean?:

Code: 
$sql2 = sprintf("SELECT * FROM users WHERE username = %s AND password = %s", quote_smart($username), quote_smart($dbpassword));
$result2 = mysql_query($sql2);


EDIT

Pine said:
Don't chuck the password through strip_tags as a) it will mean (for example) that the password "<b>password" would be the same as "password" and b) it's going to be hashed anyway so you know it's going to be an alphanumeric string that will be safe to print to a page or insert into a database.
Click to expand...

Ah yes, thank you :)

Removed them.
 
Last edited:
You must log in or register to reply here.
Back
Top Bottom