Jump to content


Photo
- - - - -

[PHP]-[Encrypting]-Sha1


  • Please log in to reply
30 replies to this topic

#21 Ultimatum

Ultimatum

    Young Padawan

  • Members
  • Pip
  • 6 posts

Posted 05 August 2007 - 05:47 PM

First off sha1, turns any words no matter how long into a 32 character key. Ok so you would set a basic sha1 statment like this:


Not true, sha1 returns a 40 character key, md5 returns 32. I wonder why nobody corrected this earlier?
  • tingying likes this

#22 rc69

rc69

    PHP Master PD

  • P2L Staff
  • PipPipPipPip
  • 3,827 posts
  • Gender:Male
  • Location:Here
  • Interests:Web Development

Posted 07 August 2007 - 05:33 PM

I always find a safe way to do this is:

md5(md5(sha1(md5($pass))));

It starts inwards to outwards, so md5 the password, sha1 that hash, md5 that hash, then md5 it again.

I thought my way was overkill. That method goes beyond overkill into a realm of it's own. Not to mention it's a performance nightmare. It might not matter with only 50 users a day, but, depending on what else you have in your code, that would seriously slow it down.

First off sha1, turns any words no matter how long into a 32 character key. Ok so you would set a basic sha1 statment like this:


Not true, sha1 returns a 40 character key, md5 returns 32. I wonder why nobody corrected this earlier?

Lol, i never know how many characters where in a sha1 string. I knew it was more than 32, but i wasn't paying attention :)

#23 nitr0x

nitr0x

    Young Padawan

  • Members
  • Pip
  • 201 posts

Posted 08 August 2007 - 04:25 PM

I always find a safe way to do this is:

md5(md5(sha1(md5($pass))));

It starts inwards to outwards, so md5 the password, sha1 that hash, md5 that hash, then md5 it again.

I thought my way was overkill. That method goes beyond overkill into a realm of it's own. Not to mention it's a performance nightmare. It might not matter with only 50 users a day, but, depending on what else you have in your code, that would seriously slow it down.


Actually it doesn't slow it down at all, md5 and sha1 is just like any other php function, it's an instant function so it doesn't slow the script down, maybe apart from by 0.01 seconds.

#24 rc69

rc69

    PHP Master PD

  • P2L Staff
  • PipPipPipPip
  • 3,827 posts
  • Gender:Male
  • Location:Here
  • Interests:Web Development

Posted 12 August 2007 - 02:02 PM

It doesn't matter whether it is built-in or custom. Any call to a function slows things down. Built-in functions just have a tendancy to be faster than custom functions.

#25 Hayden

Hayden

    P2L Jedi

  • Members
  • PipPipPip
  • 717 posts
  • Gender:Male
  • Location:Texas

Posted 09 September 2007 - 12:58 PM

Here's a slight twist on rc's idea of md5($pass).sha1($pass)
function sv1($str) {
	$md5 = md5($str);
	$sha1 = sha1($str);
	$newpass = "";
	for($i=0; $i<strlen($sha1); $i++) {
		$newpass .= substr($md5, $i, 1).substr($sha1, $i, 1);
	}
	return $newpass;
}
I like his idea of keeping it simple but wanted to add a little twist to it.

Edited by SpatialVisionary, 09 September 2007 - 12:58 PM.


#26 rc69

rc69

    PHP Master PD

  • P2L Staff
  • PipPipPipPip
  • 3,827 posts
  • Gender:Male
  • Location:Here
  • Interests:Web Development

Posted 09 September 2007 - 10:14 PM

sv1(), nice ;)

I see you still haven't compensated for md5 being about 8 characters shorter than sha1 yet though. Is that intentional?

Personally, i've never liked having to add those two together. It's secure, but if you get a large database of passwords, then it shorta gets cumbersome. If i were to use your method, i would simply set the condition to $i < 16; (32/2 results in string of 32 characters). The only potential problem with that is a greater chance of cross-overs with passwords (different word, same encryption). I hate finishing out my thought process sometimes...

#27 Hayden

Hayden

    P2L Jedi

  • Members
  • PipPipPip
  • 717 posts
  • Gender:Male
  • Location:Texas

Posted 10 September 2007 - 02:12 PM

yeah, i just left the last 6 characters as they were :g[1]:


what are the chances of the 2 words having the same encryption with 2 different methods and being blended together though?

#28 rc69

rc69

    PHP Master PD

  • P2L Staff
  • PipPipPipPip
  • 3,827 posts
  • Gender:Male
  • Location:Here
  • Interests:Web Development

Posted 10 September 2007 - 09:45 PM

With the full length of 60+ characters? One in a million^2. With only 32 characters, one in a million.

#29 Kristopher

Kristopher

    Jedi In Training

  • Members
  • PipPip
  • 422 posts
  • Location:Canada
  • Interests:Webdesign, coding, snowmobiling etc

Posted 16 September 2007 - 01:11 PM

with the release of http://www.undosha1.com/ many passwords can be unhashed pretty quick now

#30 Wildhoney

Wildhoney

    Young Padawan

  • Members
  • Pip
  • 31 posts

Posted 09 November 2007 - 03:53 PM

Well, the first thing that popped out to me and bit me on the nose, was that where you're setting the variable to secure, is that supposed to be a constant or a string? If someone were to copy and paste that code then a PHP error would ensue.

Moreover, I'd like to see some mention of client-side hashing and HTTPS if Javascript is disabled. Also, there's no mention of cryptography salts - which would make such sites as Kristopher mentioned useless. These are all key issues, whereas I'm sure everybody knows how to use SHA1!

Edited by Wildhoney, 09 November 2007 - 03:54 PM.


#31 U1

U1

    Young Padawan

  • Members
  • Pip
  • 245 posts

Posted 11 December 2007 - 11:48 AM

MD5, SHA1 and SHA256 etc are all designed for speed, the faster the weaker, if you want something more secure but slower then go for Bcrypt, google it.

The attacker/hacker really cares a lot if password tests take twice as long. If one password test takes twice as long, the total password cracking time takes twice as long.




1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users