Encoding a password

[eluser]Kemik[/eluser]
Hello,

I'm trying to use CI's $this->encrypt->encode() function to encode the users password and check it against the one in the database so they can login.

However, if I encode "test" the result changes every time. E.g. "test could = dfs77fdshdsfdfs= but then DSUDSDSDhds= next time (I just typed random characters there btw).

They always seem to have an = at the end of the string though.

What's the best way to encode a password and keep the string the same every time?

Edit. I've done some tests...

Password: test1
Password Hash: EhfaYeOPfM/rtDvbrJh/EecblQSrVtDfP6x/Lg8toug=
Decoded: test1

Password: test1
Password Hash: /HFJAzH04ublyUWzMgwhlLv/Q1SPEfpQ3QaCX0eDpOE=
Decoded: test1

There's just two examples.

[eluser]Unknown[/eluser]
Why don't use PHPs built-in md5() function? :-)

[eluser]Kemik[/eluser]
Apparently it's not very secure.

[eluser]Michael Wales[/eluser]
md5 is 100 billion trillion times more secure than encoding. Encoding is reversible (you can decode and see the text), MD5 and SHA1 are not - they are one-way encryption algorithms.

There really isn't anything insecure concerning MD5, the problem is collisions. Collisions occur when two different strings produce the same output from the algorithm. The web community has been using MD5 for years and I have never heard collision abuse causing security issues (because the user's can't see their md5 hashes, and it a lot easier to produce a collision when you know the hash you are trying to match). Colliding with a hash you don't know is just the same as trying to guess a password - only possible via brute force.

Regardless, I don't recommend you use MD5. CodeIgniter has a great function built into the security helper, dohash(). dohash() allows you to encrypt data via SHA1 (the default) or MD5. The SHA series is to be considered the successor to the MD series, and although some vulnerabilities have already been found in SHA1 they are less likely than those within MD5 (and SHA2 has yet to produce a viable collision).

[eluser]zdknudsen[/eluser]
I usually use sha1.

So does plenty of codeigniter.

[eluser]Mark LaDoux[/eluser]
here's what i use for hashing --

Code:

function hash_pass($pass)
{

  $msalt = $this->config->item('encryption_key');
  $fsalt = hash('sha512', $msalt.$pass);
  $bsalt = hash('sha512', $pass.$msalt);
  $pass_hash = hash('sha512', $fsalt.$pass.$bsalt);

  return $pass_hash;

}

[eluser]Neoraj3.0[/eluser]
mark how would I use the hash_pass function with CI's post code?

//The POST happens here when a new user name and password is created:

$data = array(
'username' => $this->input->post('username'),
'password' => $this->input->post('password')
);

[eluser]albertleao[/eluser]
Wow! People still using SHA512 and MD5 for password hashing?!

Here's a nice writeup by the guys over at the PHP group have put together:

http://www.php.net/manual/en/faq.passwor...ds.hashing



Encoding a password is almost as bad as storing it in plain text. NEVER DO THIS.
As for SHA and MD5, these methods used to be good, but are now susceptible to brute force attacks. Heck, there are websites with rainbow tables that will help you figure out the hash.

If you're trying to save a password securely, make sure you're using some of the latest hashing methods like Blowfish.

[eluser]Neoraj3.0[/eluser]
Thanks albert, I am newish to codeigniter and was looking for something a bit more advanced than md5 and sha1 for an adduser page and login page

Will check out the link

[eluser]albertleao[/eluser]
No problem. It's a misconception of a lot of programmers that are self taught that you need to decode a password to authenticate a user. You need to find the method which takes the most processing power to hash and then you hash a user input and compare the final result.

The longer it takes to process a hash, the harder it is for someone to replicate it using brute force. It increases exponentially.