• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Looking for string hashing using a portable but secure method

#1
[eluser]Xeoncross[/eluser]
I have been following password hashing and security for a while now, even though much of the mathematics involved far exceeds my understanding. At any rate, this topic is a request for any advanced resources (scripts/articles) you may have or know of on the topic of hashing.

The main problem is that MD5 and SHA1 are theoretically becoming easier and easier to break into - even with salts. Many of the auth systems around here create salts and then use one of these to methods to hash a string when checking for a password.

Personally, I would like to use phpass for my projects. Seeing the benefit, many systems like Wordpress & drupal already employ this system. However, using the high-level Blowfish-based hashing that makes the lib so useful causes non-portable hashes to be created. This is a problem for sites that keep changing hosts or use multiple servers. You can downgrade the protection that phpass provides all the way back to md5 - but then what is the point of even using it?

So any ideas on better security for strings without locking a site to a certain system? If you are looking for a good read you might try this.

#2
[eluser]bretticus[/eluser]
[quote author="Xeoncross" date="1240094874"]So any ideas on better security for strings without locking a site to a certain system? If you are looking for a good read you might try this.[/quote]

Well, the Suhosin extension source code is available to be compiled for probably just about every kind of *nix. It offers a sha256() function (I installed it on my Debian etch servers with sudo apt-get install php5-suhosin.) I would assume sha256 is portable. Frankly, I don't have anything I need to protect better than sha1. But if I did, I'd feel fairly safe with sha1 as long as I was enforcing non-dictionary passwords with letters and numbers at least (okay, maybe sha256!) Smile

Anyways, I just wanted to recommend the Suhosin extension for a fast and easy upgrade for one-time hashing.

Cheers!

#3
[eluser]Xeoncross[/eluser]
After spending several days browsing the web I have hit a brick wall. It seems that no matter what algorithm you use, a users password can be cracked by use of a rainbow table if an attacker gets a hold of your users hash + salt(s) (user salt and/or config file salt).

If only there was a way to increase the length of the users password (which is what a salt is for) without allowing something that is predictable.

Oh, and this was one of my favorite articles.

#4
[eluser]Dam1an[/eluser]
Here's a random idea off the top of my head... no idea how practical ad secure it would be though...
(Note: using plain old md5 and salt for simplicity sake)

Instead of hashing the password and salting it, and then storing it in a 32 char field in your database, make the field 32*X where x is a multiplier
Then do md5(md5(password).salt1) . md5(md5(result of first part).salt2) . md5(md5(result of third part).salt1)

so you hash then salt, then concatenate the hashed and salted result of that with its result etc

#5
[eluser]Xeoncross[/eluser]
That concatenation makes your hashes weaker as now the attacker has more hashes to work with. Plus, if they want the original they just break off the first 32 chars.

#6
[eluser]Nicholas Hanks[/eluser]
I think SHA256 is good for hashing. Usually I hash password using SHA256 with unique salt of 128 character long password in conjunction with salt from config file. In this case if anybody hack your database then it's useless for them since hashed password also relies on config salt and vice versa.


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2021 MyBB Group.