Kommentare zu: PHP: Easy to use and secure PHP hashing Class

Von: Macs

Macs — Wed, 15 Feb 2012 09:44:54 +0000

Hi Julius

Please ignore my last comment. I understand now

Great stuff, thank-you

Regards
Macs

Von: Julius

Julius — Wed, 15 Feb 2012 09:36:56 +0000

It seems as if you missed the part, that for each hash a random salt is used, that is stored inside the returned hash. This is a security measurment to avoid hashes beeing cracked too fast.
More info can be found here: http://en.wikipedia.org/wiki/Salting_%28cryptography%29

Von: Macs

Macs — Wed, 15 Feb 2012 09:19:04 +0000

Hi Julius

Please forgive my ignorance, however, the code and example that you give generates a unique hash on each occasion that it is executed for the same password.

Is this intended and a I missing something.

Regards
Macs

Von: Julius

Julius — Mon, 01 Aug 2011 19:46:58 +0000

There is no way to get the password from a hash.
Hashes just work the way Input (like a password) -hashing-> Hash. Not the other way round.
Encryption can do Input -encrypting-> Encrypted Input -decrypting-> Input but that aint practical.

Sending plain passwords via Email is also a security risk. I would avoid that.
Best way for you should be sending a unique link that can only be used once for resetting a password on your website.

Regards, Julius

Von: Tazek

Tazek — Mon, 01 Aug 2011 18:29:35 +0000

Hi Julius, I have a question: I'm using your class on my login system. This login system has a "reset password" page, which sends the password by e-mail. I'd like to find someway to "generate" the password from the hash. What's the easy way to do it? Thanks!

Von: Julius

Julius — Mon, 01 Aug 2011 09:57:27 +0000

Hi Tazek,
i think i should do da rewrite of that code and publish it on github.
But that has to wait for after exams.
Regards, Julius

Von: Tazek

Tazek — Sun, 31 Jul 2011 15:54:57 +0000

Hi,

Your class seems to be really useful.
Is it the latest version? How can I get further updates?

Thank you!

Best,
Tazek

Von: bucabay

bucabay — Tue, 20 Oct 2009 23:02:28 +0000

I think you hit the nail on the head with this one. There is a lot of bad advice that is just followed blindly regarding hashing of passwords. Especially the common advice that double hashing is bad, when it is used in my applications: http://en.wikipedia.org/wiki/Key_strengthening

I like the global hash and custom hash function. You could however consider the global salt, and custom hashing function.

Great work!

Von: Dustin

Dustin — Sat, 03 Oct 2009 17:59:46 +0000

Hey Julius,

I like the idea of a combination of global salting and per unit salting, as I can see it's obvious benefits. The argument for storing a users salt with the salted hashes can still be considered a viable measure, since a hacker would still need to know the insert method the code uses to salt (i.e. is it inserted by str_split, is it before the pass, after? etc...) as always security does also rely on the length of the values being passed to be hashed. The only problem I can forsee with a global hash however is, if it is lost, the scheme is broken, so precautions would need to be implemented to keep that from happening.

Great class, and I do like that it slows down the hashing routine.

-Dustin

Von: Julius

Julius — Fri, 02 Oct 2009 07:45:29 +0000

The global Salt is only a method for advanced use of the class to make hashes fetched with SQL-Injection useless. So the idea is not broken by default.
Adding a encryption with a secret key is not different to the use of a global salt when using only hashing functions.