Kommentare zu: PHP: Easy to use and secure PHP hashing Class http://juliusbeckmann.de/blog/easy-to-use-and-secure-php-hashing-class.html Ich bin nicht verrückt, nur technisch begabt ... Fri, 26 Sep 2014 12:04:55 -0400 http://wordpress.org/?v=2.8.2 hourly 1 Von: Julius http://juliusbeckmann.de/blog/easy-to-use-and-secure-php-hashing-class.html/comment-page-1#comment-1520 Julius Sun, 23 Sep 2012 11:34:59 +0000 http://juliusbeckmann.de/blog/?p=449#comment-1520 Thanks Alejandro for your comment. From your point of view, my scheme might be too simple to be called secure. But when working with php, you are quite limited what kind of solution can be done with common effort. Why i used sha1 and md5 is, because PHP offers them in nearly every version today. Other functions need specific modules that are not always installed. The point with the FPGA is correct, its the way it goes with more powerfull hardware over time. The comment about salt length is truly incorrect. A longer salt will result a in a "more secure" hash because the number of possibilites for a attack that does not have the salt will increase. But if the attacker already got the salt, i think it does not make a difference, if its 4 or 8 chars long. Thanks for your AES comment, that is something i did not know yet. As you can see, the solution is not perfect ;) But i always hoped to inspire and teach people, to have an eye on that topic because it is fundamental knowledge of hashing. Thanks Alejandro for your comment.

From your point of view, my scheme might be too simple to be called secure. But when working with php, you are quite limited what kind of solution can be done with common effort. Why i used sha1 and md5 is, because PHP offers them in nearly every version today. Other functions need specific modules that are not always installed.

The point with the FPGA is correct, its the way it goes with more powerfull hardware over time.

The comment about salt length is truly incorrect. A longer salt will result a in a "more secure" hash because the number of possibilites for a attack that does not have the salt will increase. But if the attacker already got the salt, i think it does not make a difference, if its 4 or 8 chars long.

Thanks for your AES comment, that is something i did not know yet.

As you can see, the solution is not perfect ;)
But i always hoped to inspire and teach people, to have an eye on that topic because it is fundamental knowledge of hashing.

]]> Von: Alejandro http://juliusbeckmann.de/blog/easy-to-use-and-secure-php-hashing-class.html/comment-page-1#comment-1518 Alejandro Sun, 26 Aug 2012 12:45:39 +0000 http://juliusbeckmann.de/blog/?p=449#comment-1518 Hi Julius, i need to tell you that this scheme isn't secure, i know it is hard to get, but the only functions that actually increase the security of your scheme are the random salt and the multiple hashing, and the multiple hashing can be easily broke with an FPGA in no time, because you are using sha-1. Your commentary about the 4 bytes salt is simply wrong, even the PBKDF uses a salt of 8 bytes (new schemes use nonces with at least 32 bytes), the size of the salt matters. The global salt + the permutation = bad cipher if you want to do this, it's a better idea using a block cipher like AES key + AES The AES-key is a global salt, and AES is a permutation (by definition), the diference between your salt+permutation and key+AES is: your permutation is linear, then, it is easy to compute. Hi Julius, i need to tell you that this scheme isn't secure, i know it is hard to get, but the only functions that actually increase the security of your scheme are the random salt and the multiple hashing, and the multiple hashing can be easily broke with an FPGA in no time, because you are using sha-1.
Your commentary about the 4 bytes salt is simply wrong, even the PBKDF uses a salt of 8 bytes (new schemes use nonces with at least 32 bytes), the size of the salt matters.
The global salt + the permutation = bad cipher
if you want to do this, it's a better idea using a block cipher like AES
key + AES
The AES-key is a global salt, and AES is a permutation (by definition), the diference between your salt+permutation and key+AES is: your permutation is linear, then, it is easy to compute.

]]> Von: Macs http://juliusbeckmann.de/blog/easy-to-use-and-secure-php-hashing-class.html/comment-page-1#comment-1476 Macs Wed, 15 Feb 2012 09:44:54 +0000 http://juliusbeckmann.de/blog/?p=449#comment-1476 Hi Julius Please ignore my last comment. I understand now Great stuff, thank-you Regards Macs Hi Julius

Please ignore my last comment. I understand now

Great stuff, thank-you

Regards
Macs

]]> Von: Julius http://juliusbeckmann.de/blog/easy-to-use-and-secure-php-hashing-class.html/comment-page-1#comment-1475 Julius Wed, 15 Feb 2012 09:36:56 +0000 http://juliusbeckmann.de/blog/?p=449#comment-1475 It seems as if you missed the part, that for each hash a random salt is used, that is stored inside the returned hash. This is a security measurment to avoid hashes beeing cracked too fast. More info can be found here: http://en.wikipedia.org/wiki/Salting_%28cryptography%29 It seems as if you missed the part, that for each hash a random salt is used, that is stored inside the returned hash. This is a security measurment to avoid hashes beeing cracked too fast.
More info can be found here: http://en.wikipedia.org/wiki/Salting_%28cryptography%29

]]> Von: Macs http://juliusbeckmann.de/blog/easy-to-use-and-secure-php-hashing-class.html/comment-page-1#comment-1474 Macs Wed, 15 Feb 2012 09:19:04 +0000 http://juliusbeckmann.de/blog/?p=449#comment-1474 Hi Julius Please forgive my ignorance, however, the code and example that you give generates a unique hash on each occasion that it is executed for the same password. Is this intended and a I missing something. Regards Macs Hi Julius

Please forgive my ignorance, however, the code and example that you give generates a unique hash on each occasion that it is executed for the same password.

Is this intended and a I missing something.

Regards
Macs

]]> Von: Julius http://juliusbeckmann.de/blog/easy-to-use-and-secure-php-hashing-class.html/comment-page-1#comment-1413 Julius Mon, 01 Aug 2011 19:46:58 +0000 http://juliusbeckmann.de/blog/?p=449#comment-1413 There is no way to get the password from a hash. Hashes just work the way Input (like a password) -hashing-> Hash. Not the other way round. Encryption can do Input -encrypting-> Encrypted Input -decrypting-> Input but that aint practical. Sending plain passwords via Email is also a security risk. I would avoid that. Best way for you should be sending a unique link that can only be used once for resetting a password on your website. Regards, Julius There is no way to get the password from a hash.
Hashes just work the way Input (like a password) -hashing-> Hash. Not the other way round.
Encryption can do Input -encrypting-> Encrypted Input -decrypting-> Input but that aint practical.

Sending plain passwords via Email is also a security risk. I would avoid that.
Best way for you should be sending a unique link that can only be used once for resetting a password on your website.

Regards, Julius

]]> Von: Tazek http://juliusbeckmann.de/blog/easy-to-use-and-secure-php-hashing-class.html/comment-page-1#comment-1412 Tazek Mon, 01 Aug 2011 18:29:35 +0000 http://juliusbeckmann.de/blog/?p=449#comment-1412 Hi Julius, I have a question: I'm using your class on my login system. This login system has a "reset password" page, which sends the password by e-mail. I'd like to find someway to "generate" the password from the hash. What's the easy way to do it? Thanks! Hi Julius,

I have a question: I'm using your class on my login system. This login system has a "reset password" page, which sends the password by e-mail. I'd like to find someway to "generate" the password from the hash.

What's the easy way to do it?

Thanks!

]]> Von: Julius http://juliusbeckmann.de/blog/easy-to-use-and-secure-php-hashing-class.html/comment-page-1#comment-1411 Julius Mon, 01 Aug 2011 09:57:27 +0000 http://juliusbeckmann.de/blog/?p=449#comment-1411 Hi Tazek, i think i should do da rewrite of that code and publish it on github. But that has to wait for after exams. Regards, Julius Hi Tazek,
i think i should do da rewrite of that code and publish it on github.
But that has to wait for after exams.
Regards, Julius

]]> Von: Tazek http://juliusbeckmann.de/blog/easy-to-use-and-secure-php-hashing-class.html/comment-page-1#comment-1410 Tazek Sun, 31 Jul 2011 15:54:57 +0000 http://juliusbeckmann.de/blog/?p=449#comment-1410 Hi, Your class seems to be really useful. Is it the latest version? How can I get further updates? Thank you! Best, Tazek Hi,

Your class seems to be really useful.
Is it the latest version? How can I get further updates?

Thank you!

Best,
Tazek

]]> Von: bucabay http://juliusbeckmann.de/blog/easy-to-use-and-secure-php-hashing-class.html/comment-page-1#comment-498 bucabay Tue, 20 Oct 2009 23:02:28 +0000 http://juliusbeckmann.de/blog/?p=449#comment-498 I think you hit the nail on the head with this one. There is a lot of bad advice that is just followed blindly regarding hashing of passwords. Especially the common advice that double hashing is bad, when it is used in my applications: http://en.wikipedia.org/wiki/Key_strengthening I like the global hash and custom hash function. You could however consider the global salt, and custom hashing function. Great work! I think you hit the nail on the head with this one. There is a lot of bad advice that is just followed blindly regarding hashing of passwords. Especially the common advice that double hashing is bad, when it is used in my applications: http://en.wikipedia.org/wiki/Key_strengthening

I like the global hash and custom hash function. You could however consider the global salt, and custom hashing function.

Great work!

]]>