Crypt or MD5?

Craig321 · 29 Sep 2006 at 00:20

Just wondered what's more uncrackable?

crypt("password")

or

md5("password")

Or is there anything else even more secure that can be used to e.g. store user password in a database?

EDIT

To me it seems like crypt() is more secure as the generate string is random each time.

Craig.

Craig321 · 29 Sep 2006 at 02:18

Bah, PHP 4.3.0... my PHP is running on 4.1.1 atm >.<

Suppose I'll update.

EDIT

Been using PHPTriad on my Windows server... but that's discontinued

Can anyone suggest me a installer package that'll install Apache, MySQL & PHP for Windows please?

Craig321 · 29 Sep 2006 at 02:33

Thanks very much, looks perfect.

Will I need to be changing any of my coding 'styles' to move onto PHP 5?

Example of my coding 'style':

Code:

<?php
include "includes/config.php";

$sql = "SELECT column1, column2, column3 FROM table";
$result = mysql_query($sql);

echo '
        <table>
          <tr>
            <td>Column 1</td>
            <td>Column 2</td>
            <td>Column 3</td>
          </tr>';

while($row = mysql_fetch_array($result))
{
  $1 = $row['column1'];
  $2 = $row['column2'];
  $3 = $row['column3'];

  echo '
          <tr>
            <td>'.$1.'</td>
            <td>'.$2.'</td>
            <td>'.$3.'</td>
          </tr>';
}

echo '  </table>';

?>

I'm not sure if that's a good example as I'm not sure what has changed in v5.

Thanks,
Craig

Craig321 · 29 Sep 2006 at 17:47

Okay, thanks

Craig321 · 29 Sep 2006 at 19:25

robmiller said:
PHP5 adds a lot of things, but almost all of it is backwards compatible, so 99.99% of PHP4 code works flawlessly on PHP5 without modification

Okay, thanks Robbo

Also, I got SHA1("string"); working with my updated PHP but I'm not sure what you meant by "with a randomly generated, user-specific salt."?

There's not much of an explanation on sha1 on php.net >.<

EDIT

Got and example off one of the comments and I guess this is what you meant?:

Code:

<?php

$string = $_POST['string'];

$salt = pack("CCCC", mt_rand(), mt_rand(), mt_rand(), mt_rand());
$hash = base64_encode(pack("H*", sha1($string . $salt)) . $salt);

echo $hash;

?>

Thanks,
Craig.

Craig321 · 30 Sep 2006 at 02:51

Hi Rob,

Was that example I posted above what you meant? Or did you mean something different?

Thanks,
Craig.

Craig321 · 30 Sep 2006 at 14:21

Thanks

Couldn't I just do this rather than having the whole extra salt column?:

Code:

<?php
$string = $_POST['string'];

$salt = pack("CCCC", mt_rand(), mt_rand(), mt_rand(), mt_rand());
$hash = base64_encode(pack("H*", sha1($string . $salt)) . $salt);

echo $hash;

//From here I can post the $hash into the users password column... 
?>

EDIT--

Ah, just noticed that on the page you linked me to it says you need the salt column to verify the users details when they log-in.

Thanks

Craig

EDIT

Just came up with this, is this all correct? It all seems to work when echoing out the results, but is it actually correct?:

Code:

<?php
include "includes/config.php";

define('SALT_LENGTH', 8);

$username = $_POST['username'];
$userPassword = $_POST['password'];

$salt = substr(sha1(uniqid(rand(), true)), 0, SALT_LENGTH);

$prepend = $salt . $userPassword;

$hashed = sha1($prepend);

$sql = "INSERT INTO users (username, salt, password) VALUES ('$username', '$salt', '$hashed')";

if(mysql_query($sql))
{
	echo 'Thanks for signing up!';
}
else
{
	echo 'Error!<br>' . mysql_error();
}
?>

Thanks,
Craig.

Craig321 · 30 Sep 2006 at 15:27

Right, I've just written this system (it's unsecure right now - haven't done form safety, SQL safety yet etc.) it's not finished, but it uses a random salt with sha1.

process_signup.php - I haven't added all the security checks and stuff yet (please point out any I might forget though!

) - mainly look at the way I've stored/uses passwords please.

Code:

<?php
include "includes/config.php";

define('SALT_LENGTH', 8);

$username = strip_tags($_POST['username']);
$userPassword = strip_tags($_POST['password']);

$salt = substr(sha1(uniqid(rand(), true)), 0, SALT_LENGTH);

$prepend = $salt . $userPassword;

$hashed = sha1($prepend);

$sql = "INSERT INTO users (username, salt, password) VALUES ('$username', '$salt', '$hashed')";

if(mysql_query($sql))
{
	echo 'Thanks for signing up!';
}
else
{
	echo 'Error!<br>' . mysql_error();
}
?>

This one also submits from a form.. same as above - process_login.php:

Code:

<?php
include "includes/config.php";

$username = strip_tags($_POST['usernameLogin']);
$userPassword = strip_tags($_POST['passwordLogin']);

$sql = sprintf("SELECT salt FROM users WHERE username = %s", quote_smart($username));
$result = mysql_query($sql);
$row = mysql_fetch_array($result);

$salt = $row['salt'];

$dbpassword = sha1($salt . $userPassword);

$sql2 = sprintf("SELECT * FROM users WHERE password = %s", quote_smart($dbpassword));
$result2 = mysql_query($sql2);

if(mysql_num_rows($result2)<1)
{
	echo 'Invalid username/password<br>' . mysql_error();
}
else
{
	echo 'Welcome back ' . $username;
}
?>

Ignoring the obvious security holes and concentrating just on the way I have handled the password - is this code fine?

Thanks,
Craig.

Craig321 · 1 Oct 2006 at 14:01

Berserker said:
The second query doesn't care whose password is matched. You're probably more likely to be killed by a tea cosy (QI ), but still.

Ah, oops

Guess I should authenticate the username as well

I guess this is what you mean?:

Code:

$sql2 = sprintf("SELECT * FROM users WHERE username = %s AND password = %s", quote_smart($username), quote_smart($dbpassword));
$result2 = mysql_query($sql2);

EDIT

Pine said:
Don't chuck the password through strip_tags as a) it will mean (for example) that the password "<b>password" would be the same as "password" and b) it's going to be hashed anyway so you know it's going to be an alphanumeric string that will be safe to print to a page or insert into a database.

Ah yes, thank you

Removed them.