1

so i have a login system and i have used some security measures to make it secure. Firstly i salt my passwords:

$salt = openssl_random_pseudo_bytes(1024);
file_put_contents("salt.txt", $salt);

Next i hash it using the whirlpool algorithm:

function myhash($password){ 
    $salt = file_get_contents("private/salt.txt");
    $password = hash_hmac('whirlpool',$password,$salt);
    return $password;
}

This is an example of the password that would get returned and stored in the Database:

56a8cf545750eec78cb58582829636b1e0378cf0fff4982305a7171f06593fb92735d3576f0ad7ba8aec40c914abc38424885cb7ac2672b1d8da36e3b95c80ce

Now my question: If a hacker was able to recover that long string above, would they be able to somehow reverse/decrypt it to return them the actual password. Let me know what you guys think/know, is it impossible?

This is not a thread for people to suggest other things to me, please keep answers strictly related to the single question.

user3714214
  • 27
  • 1
  • 9

2 Answers2

0

One area of attack seems to be that two same passwords result in the same string, because you use the same salt for everyone.

So without decrypting anything, they can already tell who has the same password. That probably indicates weak passwords, and they can start brute-forcing there.

Thilo
  • 257,207
  • 101
  • 511
  • 656
  • I would down vote you if i could, i clearly state in bold writing that i did not want any suggestions or answers to unasked questions. You have not asnswered my question but instead suggested a problem in the code. Which by the way is false, it matters not if the hashed string is the same, people are allowed to have the same password across accounts, they cannot decrypt the hash if they know that another person has the same password. I also did not ask anything about brute forcing. VERY bad answer. – user3714214 Jun 06 '14 at 08:27
0

Short answer "NO". whirlpool is fairly strong hashing algorithm (not encryption algorithm as encryption assumes ability to decrypt in some way). Salt (AKA shared key) just makes is even stronger. But having the same salt for everyone does not make it much weaker but makes it possible to find out who has the same password (without knowing the password itself).

Better use of salt is that it is randomly generated before use in hash function (and it does not need to be 1024 bytes - 8 bytes is more than enough for salt) and then prepended to resulting hash. This way function which will check the password knows which salt must be used and what hash is expected.

Whirlpool algorithm has no known weaknesses and uses 512 bit. Therefore it is regarded as secure. However I personally have two negative views on it:

  1. It underwent two modifications from its inception in 2000
  2. It is less used than other algorithms (namely SHA512).

So my personal view is that nothing wrong with your code and it is quite secure. But you may be better off switching to SHA512.

Only way to recover password from that long string is brute force for VERY LONG TIME (if password is strong of course) or may be using some technology from NSA :)

Vladimir Bashkirtsev
  • 1,334
  • 11
  • 24