Kommentare zu: PHP: Easy to use and secure PHP hashing Class

Von: Julius

Julius — Mon, 01 Aug 2011 19:46:58 +0000

There is no way to get the password from a hash.
Hashes just work the way Input (like a password) -hashing-> Hash. Not the other way round.
Encryption can do Input -encrypting-> Encrypted Input -decrypting-> Input but that aint practical.

Sending plain passwords via Email is also a security risk. I would avoid that.
Best way for you should be sending a unique link that can only be used once for resetting a password on your website.

Regards, Julius

Von: Tazek

Tazek — Mon, 01 Aug 2011 18:29:35 +0000

Hi Julius, I have a question: I'm using your class on my login system. This login system has a "reset password" page, which sends the password by e-mail. I'd like to find someway to "generate" the password from the hash. What's the easy way to do it? Thanks!

Von: Julius

Julius — Mon, 01 Aug 2011 09:57:27 +0000

Hi Tazek,
i think i should do da rewrite of that code and publish it on github.
But that has to wait for after exams.
Regards, Julius

Von: Tazek

Tazek — Sun, 31 Jul 2011 15:54:57 +0000

Hi,

Your class seems to be really useful.
Is it the latest version? How can I get further updates?

Thank you!

Best,
Tazek

Von: bucabay

bucabay — Tue, 20 Oct 2009 23:02:28 +0000

I think you hit the nail on the head with this one. There is a lot of bad advice that is just followed blindly regarding hashing of passwords. Especially the common advice that double hashing is bad, when it is used in my applications: http://en.wikipedia.org/wiki/Key_strengthening

I like the global hash and custom hash function. You could however consider the global salt, and custom hashing function.

Great work!

Von: Dustin

Dustin — Sat, 03 Oct 2009 17:59:46 +0000

Hey Julius,

I like the idea of a combination of global salting and per unit salting, as I can see it's obvious benefits. The argument for storing a users salt with the salted hashes can still be considered a viable measure, since a hacker would still need to know the insert method the code uses to salt (i.e. is it inserted by str_split, is it before the pass, after? etc...) as always security does also rely on the length of the values being passed to be hashed. The only problem I can forsee with a global hash however is, if it is lost, the scheme is broken, so precautions would need to be implemented to keep that from happening.

Great class, and I do like that it slows down the hashing routine.

-Dustin

Von: Julius

Julius — Fri, 02 Oct 2009 07:45:29 +0000

The global Salt is only a method for advanced use of the class to make hashes fetched with SQL-Injection useless. So the idea is not broken by default.
Adding a encryption with a secret key is not different to the use of a global salt when using only hashing functions.

Von: julianor

julianor — Thu, 01 Oct 2009 20:32:57 +0000

The global salt idea is broken. Salts are to avoid the same password resulting in the same hash. To do what you are trying to do you could encrypt every password with a real block cipher and a secret key before hashing. But if the attacker can retrieve all the hashes and he can change any password, your secret key starts to be useless too :)