Massassi Forums Logo

This is the static archive of the Massassi Forums. The forums are closed indefinitely. Thanks for all the memories!

You can also download Super Old Archived Message Boards from when Massassi first started.

"View" counts are as of the day the forums were archived, and will no longer increase.

ForumsDiscussion Forum → [tech] PHP / MYSQL question
12
[tech] PHP / MYSQL question
2007-08-27, 2:18 PM #41
Originally posted by Emon:
Smock, just use a content management system like Joomla.
It's a learning experience.
Ban Jin!
Nobody really needs work when you have awesome. - xhuxus
2007-08-27, 3:23 PM #42
Originally posted by Pagewizard_YKS:
is it possible to display a SHA1-hashed password as plaintext? (for a password recovery script) If so, what code do I need?

No, hashing is one way. That's the whole point. If your users forget their passwords, you should generate a new one. There should be PHP libraries for this. You can also just use a large random number. Make the password a random number between 1000000 and 10000000000 for example.
Bassoon, n. A brazen instrument into which a fool blows out his brains.
2007-08-28, 4:45 AM #43
Originally posted by The Mega-ZZTer:
What's wrong with just picking a salt and hard coding it into the script? IE:

$pass = sha("HACKTHISYOUJERKS".$pass);

I'd think it'd be a tad more secure than what you propose since even if the DB is stolen and the hacker has made many accounts with known passwords in there he still doesn't have sample before-hash and after-hash strings.

I'd think brute forcing a hash wouldn't be any harder if you kept the salt stored with it, except that you might not know which end the salt goes on.

I suppose a best solution would be using both techniques, part of the salt hard coded in the script and part of it randomly generated per-password and stored in the DB. :)


One of the ideas of the salt is that you would then get different hashes for two different records, even if they had the same password. Otherwise, if userA and userB both pick "password" as their password (yes, I know this isn't a realistic example: in a real production environment you'd expect many more than 2 users to have picked that particular password :suicide:) then userA somehow gets access to the password table, he could easily see that userB had the same password as it had the same hash.

The other idea of the salt is that it prevents dictionary attacks. If someone gets access to your hashed passwords, they probably will very easily be able to get a list of comonly used passwords hashed with md5, sha-1, etc. However, with a salt you need to have a dictionary generated for that site's salt. And then if you use a different salt per user, you need a dictionary per user on the site. It quickly becomes time-consuming* to brute force a password in this way.

The salt doesn't need to be kept secret, however. There's no security advantage to doing so, so it should be stored alongside the hashed passwords in the database.


* think will-take-longer-than-the-heat-death-of-the-universe style time consuming
2007-08-28, 4:47 AM #44
Er, re-reading your post I realise you actually did understand the basics of salting. Er, I'll pretend that was for the benefit of everyone else. *cough*
12

↑ Up to the top!