[PHP] Is this a good security?

[vitinho444]

Hello guys, in my free time i'm doing a browser based game, a simple thing.

So for the password encryption (or hashing) i created a function that i think it's good in case hackers get your database records, they won't be able to see any passwords.

Here it is:

Code: Select all

function Encrypt($string)
{
	$eText = md5(md5(md5($string)));
	$eText = substr($eText, 0, 20);
        $eText = md5($eText);
	return $eText;
}	

So what this does is triple hash a $string, then cut the 32 length hash to a 20 length and hash that again.
I don't know if it's a good way to hide out passwords, but i guess those "rainbow databases" don't have this in their records.. so yeah

[Chris]

That substr isn't a good idea and could possibly create multiple passwords working for one user account.

What you could do is use a prefix, that's unique and will most likely not cause your passwords matching any md5-hash record databases.

Code: Select all

function Encrypt($string)
{
   return md5(md5(md5(md5( 'my_unique_prefix' . $string))));
} 

What you could also do is not store the password, but store the password+username or email combitination:

Code: Select all

$userCredentialsHash = md5( 'prefix_' . $username . $password );
 

[dbest]

Taken straight from the OWASP site: https://www.owasp.org/index.php/Passwor ... heat_Sheet
Use a cryptographically strong credential-specific salt

A salt is fixed-length cryptographically-strong random value. Append credential data to the salt and use this as input to a protective function. Store the protected form appended to the salt as follows:

[protected form] = [salt] + protect([protection func], [salt] + [credential]);

Follow these practices to properly implement credential-specific salts:

Generate a unique salt upon creation of each stored credential (not just per user or system wide);
Use cryptographically-strong random [*3] data;
As storage permits, use a 32bit or 64b salt (actual size dependent on protection function);
Scheme security does not depend on hiding, splitting, or otherwise obscuring the salt.

[vitinho444]

Taken straight from the OWASP site: https://www.owasp.org/index.php/Passwor ... heat_Sheet
Use a cryptographically strong credential-specific salt

A salt is fixed-length cryptographically-strong random value. Append credential data to the salt and use this as input to a protective function. Store the protected form appended to the salt as follows:

[protected form] = [salt] + protect([protection func], [salt] + [credential]);

Follow these practices to properly implement credential-specific salts:

Generate a unique salt upon creation of each stored credential (not just per user or system wide);
Use cryptographically-strong random [*3] data;
As storage permits, use a 32bit or 64b salt (actual size dependent on protection function);
Scheme security does not depend on hiding, splitting, or otherwise obscuring the salt.

I know about the salt. But i think chris' way is easier and faster to use. I know my db won't get hacked, even if it was going to be, i think nobody will crack a prefix + md5 hash...

I think i will use the method:

Code: Select all

$userCredentialsHash = md5( 'prefix_' . $username . $password );

by jacko, since each user gets his own security, what about hashing the username and password before hashing all together? SUPER PROTECTION!!!!! XDDD

[vitinho444]

I did this system:

Code: Select all

function Encrypt($string)
{
	$eText = md5(md5(md5(md5("oryzhonStudios_" . $string . "999"))));
	return $eText;
}	

And it works cool at register.

But the login hash is not the same as the register.. wtf? Is the same encrypt function and the same string...

[Jackolantern]

I know about the salt. But i think jacko's way is easier and faster to use.

Hehe, I think you mean Chris.

If you are using PHP 5.3 or higher (and you probably are), I believe you have the very powerful SHA-512 algorithm available. I have not used it, but from my Googling for a library, it appears that openssl_digest() can take "sha512" as its second parameter and what you want hashed as the first parameter. SHA-512 is considered on of the toughest hashing algorithms right now.

If there is something wrong with this, I know that there are downloadable SHA-512 scripts you can use to generate the hash.

[vitinho444]

Jesus christ, i look at the name and i always think in jacko

Im so sorry Chris

I know about the salt. But i think jacko's way is easier and faster to use.

Hehe, I think you mean Chris.

If you are using PHP 5.3 or higher (and you probably are), I believe you have the very powerful SHA-512 algorithm available. I have not used it, but from my Googling for a library, it appears that openssl_digest() can take "sha512" as its second parameter and what you want hashed as the first parameter. SHA-512 is considered on of the toughest hashing algorithms right now.

If there is something wrong with this, I know that there are downloadable SHA-512 scripts you can use to generate the hash.

Well why php doesn't have a sha512() function yet? Lazy bastards jk, i might use that one yes, i don't see the point of hard encryption when i think nobody will ever hack my game since there's no point.. but the fun ofc.. xD

Thanks

[Jackolantern]

Well, if you are hashing, and you don't have to go way far out of your way to choose a hashing algorithm that supposedly has not been broken yet versus one that most definitely has (like MD5), I say go for the better one!

That, and it is a good learning experience. One day it is likely that SHA-512 will be the bar, with algorithms much more powerful above it that people trade scripts to use, and MD5 simply being a footnote in history. May as well get familiar with the algorithm that will take your game further into the future

[vitinho444]

Ok, so i check that website you gave me openssl_digest() ?

[Jackolantern]

That is my understanding. I have not used it myself before, but it should be there provided you have an up-to-date PHP installation