-1

I am developing a system using Codeigniter! All I wanted to know is if it would be possible for someone to find out what the password is if he/she knows the function and steps I have used to generate the encrypted hash? For now all I have to generate my hash strings is:

$pass = str_split($password, 2);
$hashPass = '';
foreach($pass as $p){
    $hashPass .= md5($p);
}
M Reza Saberi
  • 7,134
  • 9
  • 47
  • 76
  • 4
    I'm not sure what you are doing here. You seem to be simply adding each character of the password to the string again? – Pekka Apr 07 '13 at 08:13
  • Yes, Pekka, it someone has the $pass value, can he decrypt the hash knowing this hashing process? – M Reza Saberi Apr 07 '13 at 08:14
  • With a decent password hash the only way to recover a password is by guessing. A good password hash makes guessing expensive. See [How to securely hash passwords? on security.stackexchange](http://security.stackexchange.com/questions/211/how-to-securely-hash-passwords) for an introduction to password hashing. Your scheme is lightyears from being good. – CodesInChaos Apr 07 '13 at 08:15
  • Your code is not working.. $pass is array you can't .= to it.. – Svetoslav Apr 07 '13 at 08:15
  • 1
    What you are showing above is not hashing. You'll need to show what you're actually using to hash the password. – Pekka Apr 07 '13 at 08:16
  • I think you should have a see at encrypt topic, like http://en.wikipedia.org/wiki/MD5 – Steely Wing Apr 07 '13 at 08:19

4 Answers4

1

Your hash method is not hash and its very bad idea.. You must hash your password strings!

Here is 2 pretty simple functions for that..

function hash_my_pass($password){
    return generate_hash($password);
}

function generate_hash($password){
    return hash('sha256', $password . substr($password, 1, 3));
    # In this case I put to hash $password  + some substr of the password.. 
    # Its good when you hash pass to add something secret..
}

function check_password($password, $hashed_pass){
    return generate_hash($password) == $hashed_pass;
}

$password = '123456789';
$hash = hash_my_pass($password);    
echo $hash;#this hash you must keep at your DB.   
#when user login just compare his pass with the hash from your DB
var_dump(check_password($password, $hash));
Svetoslav
  • 4,686
  • 2
  • 28
  • 43
  • 1
    -1 for a list of old, out-of-date & easily hacked hash alternatives. – jmadsen Apr 07 '13 at 13:03
  • 1
    right - and unfortunately, a lot of people are going to come along now and use them verbatim without understanding they are no good – jmadsen Apr 07 '13 at 22:15
  • +1 for jmadsen, no one should ever see this kind of code since they will just copy and paste thinking this is "secure" and it is very bad. I would -1 this if I could. No offense Svetlio – Rixhers Ajazi Apr 10 '13 at 16:43
1

Honestly if you are not using Bcrypt in the year 2013 then passwords will be vulnerable. What you have going at the moment is quite low grade if any grade at that matter in terms of "encryption".

I use CodeIgniter with Bcrypt with this class

Then all you have to do is call this file bcrypt.php and then the class name is : 

class Bcrypt extends CI_Controller {............}

Keep in mind though with php 5.5 > the new password hashing functions will be supported which will automatically use Bcrypt until a stronger method comes out. Info here

Good luck and at the end of the day stop trying to roll your own "encryption/hashing" algorithms / methods / disasters. Doing so might leave your clients vulnerable.

Community
  • 1
  • 1
Rixhers Ajazi
  • 1,303
  • 11
  • 18
0

If they know the actual method of encryption, they have an easiert time hacking it.

For all hashes there exist rainbow tables for instance, which allow for fast reverting of passwords. That's why hashed password usually get salted.

str_split on the other hand is not a hash function, as far as i know.

scones
  • 3,317
  • 23
  • 34
0

look at Ion_auth http://benedmunds.com/ion_auth/ and use the bcrypt option - password hashing isn't something to try to create yourself.

jmadsen
  • 3,635
  • 2
  • 33
  • 49