Check if username/password match the username/encrypted password. Whirlpool encryption and salt

Question

I am just begining to learn php and have decided to put my self up to the challenge of coding a register and login script.

I am unsure of how to continue. Now, before you go searching through my code... Please don't be the guy that goes on a ramble about sql injection and bobby tables. I understand it, yet am not currently looking at it.

Anyways, I encrypted the password with whirlpool and a salt. Currently the salt is static, not sure how to implement one with the Time() function and not defeating the purpose by locating it in the database. The issue I am trying to solve is how to check if the user inputted a username and password that matches the username and HASHED password.

Here is my current code, I am assuming the most important pieces will be in the login.php file.

<?php
//connect.php
    $connection = mysql_connect("localhost","root","") or die("Couldn't connect to database");
    mysql_select_db("test", $connection);
?>

<?php
//index.php
include 'connect.php';
define('salt','7hPqMO(m=F+!!L6(#Yhp-CdF, &Q}+cIrA;c@wcP(E--V<qRmq!v*aSnM;H=4cD0');


if(isset($_POST['username']) && isset($_POST['fullname']) && isset($_POST['email']) &&      isset($_POST['password'])) {
    $username = mysql_real_escape_string($_POST['username']);
    $fullname = mysql_real_escape_string($_POST['fullname']);
    $email = mysql_real_escape_string($_POST['email']);
    $password = mysql_real_escape_string($_POST['password']);
    $encryptedPassword = hash( 'whirlpool',salt.$password );

    $sql="INSERT INTO `users` (username, fullname, email, password)
    VALUES
    ('$username', '$fullname','$email','$encryptedPassword')";

    if(!mysql_query($sql,$connection)) {
        die('Error: ' . mysql_error());
    } else {
        mysql_close($connection);
        header('Location: login.php?redirectedFromRegister=1');
    }
}
?>

<html>
    <body>
        <form action="index.php" method="post">
            <h1>REGISTER</h1><hr/>

            Email:    <input type="text" name="email"/><br/>
            Full Name:<input type="text" name="fullname"/><br/>
            Username: <input type="text" name="username"/><br/>
            Password: <input type="password" name="password"/><br/>

            <input type="submit" value="REGISTER"/>
        </form>
    </body>
</html>

<?php 
//login.php
include 'connect.php';

if(isset($_GET['redirectedFromRegister'])==1) {
    echo 'Thank you for registering, you may now login';
} else {
    echo '<h1>LOGIN</h1>';
}
?>

<html>
    <body>
        <form action="index.php" method="post">

            Username: <input type="text" name="username"/><br/>
            Password: <input type="password" name="password"/><br/>

            <input type="submit" value="LOGIN"/>
        </form>
    </body>
</html>

Really this question is probably simple, but I thought I would include my current code so people can learn something of it.

How do you decrypt a hashed password given the salt or whatever. Like I've said, I am not sure how it's done.

My database information, if you didn't see it in the connect.php file is:

Database : Localhost
Username : Root
Password : ""
Table    : users

Table layout :

------------------------------------------------------------------  
|  Id  |  Username  |  Password  |  Email       |  Fullname      |
------------------------------------------------------------------
|  1   |BobbyTables | HASHED_PASS|email@E.com   | Max Mastalerz  |
|  2   | SteveJo    | HASHED_PASS|steve@jobs.com| Steve Jobs     |
|  3   | MarkZuck   | HASHES_PASS|MarkZ@fb.com  | Mark Zuckerberg|
------------------------------------------------------------------

The codes are also easily available as a pastebin here:

Connect.php : http://pastebin.com/8ft12kG5

Index.php : http://pastebin.com/TqrJhzdu

login.php : http://pastebin.com/9fR3HJhe

Your salt should not be the same for every user. You should randomly generate it and then concatenate it to the password, which you then pass to the hash function. You will then need to store each user's salt in the database for comparison later. — Alex W, Apr 08 '14 at 02:52
You will have to hash the user inputted password and compare that with the one in your databse. — Bigalow, Apr 08 '14 at 02:53
As you're learning, on a sidenote mate, mysql is deprecated in php, use mysqli. It's ever so slightly easier as well which is even better :) Then eventually you can move on to PDO instead which is the best of the lot. — David G, Apr 08 '14 at 02:57
@bigalow how would I do this for adynamic salt? I very much understand the basics now. Also, is there some rule to not store the dynamic salt under its own column? — , Apr 08 '14 at 02:58
I don't know about such rule but I'm not an expert on this matter. You will first have to get the salt of the user with that login from your database. After that you should check wether the inputted password hashed with the salt is equal to the password stored in your database. Perhaps this topic can be of further assistance: http://stackoverflow.com/questions/14798275/best-way-to-store-passwords-in-mysql-database — Bigalow, Apr 08 '14 at 03:21
@user3483494 You can store a salt in its own column. It's not a big deal if a hacker gets the salts for each user because all salt does is prevents them from using pre-computed rainbow tables to hack all users' passwords very rapidly. — Alex W, Apr 08 '14 at 03:49

score 1 · Accepted Answer · answered Apr 08 '14 at 02:55

1

The general idea of salted hashes is that you generate a per-user salt, append it to the password and store the salt along with the salted+hashed password in the database.

When the user logs in you lookup the salt for their username, append it to the password that they input, hash that together and compare it with the hash stored in the database.

If you really, really insist on having a single salt for all users you can just append your global salt to the password that the user input and compare that with the hash that you've stored.

answered Apr 08 '14 at 02:55

photoionized

5,092
20
23

I get it! Had to re read it twice to understand. Kinda basic, isn't it. Thanks a lot! Also, what do you suggest as a randomized salt? A unix timestamp, with a mixture of random numbers... How long should the salt be and is there a function to generate random letters or ascii values. Maybe a random int function that translates the numbers into ascii values. Any idea on how to do this without declaring each number to value as a variable – Apr 08 '14 at 03:11
Depends on what system you're on. Take a look at this post for some ideas: http://stackoverflow.com/questions/1182584/secure-random-number-generation-in-php generally what I'd do is generate a bunch of random bytes and then base64 encode it. That way you can easily store it in a database. – photoionized Apr 08 '14 at 03:25
Oh, and just as a note to answer your question, something like a unix timestamp isn't good because it isn't a good source of randomness, read the post above for better alternatives. – photoionized Apr 08 '14 at 03:28
The best ones I saw are pretty amusing, random.org uses atmospheric noise and some other site uses a lava lamp. Genyuuus. – Apr 08 '14 at 03:41

Check if username/password match the username/encrypted password. Whirlpool encryption and salt

1 Answers1