3

I am looking to create a commercial website using php and I wanted to make sure the code I have for user hashed password was strong enough to avoid brute force attacks.

Note that my server and it's php version does not support blowfish so I am trying to figure out a decent method of hashing a password.

$pw = "12341234";
$salt = 'randomchars';
$initial = sha1($pw);
$hashed = md5($salt . $initial);

Is there something else I should be considering? any thoughts would be appreciated!

Improve this question
1
  • You are combining two hashes (sha1 and md5). That is never a good idea. Commented Sep 11, 2011 at 2:38

5 Answers 5

Reset to default
2

You want http://www.openwall.com/phpass/

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

I'd say if its good enough to be "integrated into WordPress 2.5+", its probably a stable, secure library.
That's nothing, it's integrated into Drupal 7.
2

I think you are not aware of the fact, that the way you hash passwords does not influence the possibility of cracking the password by brute force attack (eg. when attacker tries to provide thousands of possible passwords). It only makes password safe in case someone sees the value in the database that is used to represent this password.

Improve this answer

13 Comments

The algorithm can, however, affect how quickly a brute force attack can be executed.
If someone has a copy of the database, and he or she is trying to brute force one or more passwords, the longer the hashing algorithm takes to run, the longer it will take to brute force one or more passwords. Yes, if someone is trying to brute force via a web form, the algorithm is not going to matter much in terms of time required (percentage wise anyway); however, "the way you hash passwords does not influence the possibility of cracking the password by brute force attack" is wrong by almost all interpretations of "possibility".
I believe we're arguing the same thing with different terminology. In fact, your comment previous to this one directly opposes the validity of your opening sentence in your answer. (Technically the truth of this comment depends on the definition of "possibility".) You first asserted that the algorithm used does not affect the feasibility of brute force attacking. Then, in your post previous to this one, you say that if you choose a weak algorithm, a brute force attack can be extremely quickly done. Which way is it?
If a certain algorithm takes 10ms longer to run (which would be a huge amount of time to hash 1 password), then each web request would take 10ms longer. Add that up, and yes, the time of the algorithm does affect it over the web as well. No offense, but this comment thread is devolving into babble about terminological differences and misunderstandings. The original point I disputed was that the algorithm chosen affects the amount of time that a brute force attack requires. I still dispute that.
And, "I would not say there is a correlation between time used by the algorithm to generate the hash and the time needed to break the hash" is blatantly wrong. Please think about this mathematically. If each run of algo 1 takes 10 seconds and each run of algo 2 takes 1ms, 10 attempts of algo 1 can require fewer attempts and still take longer than algo 2 to find a collision.
|
1

For Brute Attack you can use google's captcha..

And for code password you can use first md5 and second sha1 because md5 generating 32 characters data sha1 64.. :)

Improve this answer

Comments

0

Your snippet seems secure. You want to protect against rainbow table attacks, so the double-encryption is a good idea. The computing power to even generate a list of MD5 hashes of SHA1 plaintext is huge, but it's still no harm to have the salt there to protect against such an attack.

Improve this answer

Comments

0

There is no need to reinvent a wheel as there is a crypt function.

// generate MD5-hashed password with salt
$password = crypt('mypassword');
// password contains string(34) "$1$bkZO1nIl$y5bzPPwByq.9tYEb64k4e0"

See examples for different types of hashes including MD5 and SHA256 in the manual: http://php.net/manual/en/function.crypt.php

I this is not enough, there are alternatives:

Keep in mind that if someone was able to lay his hand on your database, his ability to crack users' passwords will be least of your problems.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.