Creating a secure hash? - Printable Version +- hashcat Forum (https://hashcat.net/forum) +-- Forum: Misc (https://hashcat.net/forum/forum-15.html) +--- Forum: General Talk (https://hashcat.net/forum/forum-33.html) +--- Thread: Creating a secure hash? (/thread-3057.html) |
Creating a secure hash? - r0zzin - 01-21-2014 As a web designer I am looking to create a hash that is hard to crack. I found this site and thought to ask for info that anyone can give. I created a somewhat random function with php. Any help and feedback would be very much appreciated. Code: function dbHash($password,$name){ RE: Creating a secure hash? - radix - 01-21-2014 Would we add something as obscure as that? Probably not. Would someone come up with a way to work those? Depends on how bad they want in. Is it secure? No. Require strong passwords and use a slow algo. RE: Creating a secure hash? - r0zzin - 01-21-2014 Is it better than just using md5 or sha1? I think with the proper motivation nothing is 100 secure. If someone wants to find a way in they will. Thank you for your reply. RE: Creating a secure hash? - unix-ninja - 01-21-2014 Unfortunately, that's not really all that secure. Especially if someone manages to leverage your source. The best way to guarantee decent security is to assume that your source has already been compromised. Personally, I would recommend using bcrypt with a high iteration count (lets say 10 or 12). Just make sure you are salting per user. RE: Creating a secure hash? - unix-ninja - 01-21-2014 Just as a P.S.: No new code bases should be using MD5 or SHA1 for security in the modern age. RE: Creating a secure hash? - epixoip - 01-21-2014 Your algorithm is nothing more than security through obscurity. Immediate issues identified:
Please do not try to invent your own algorithm. just use password_hash() if you're using PHP 5 >= 5.5.0, or crypt() with CRYPT_BLOWFISH or Openwall phpass if using an older version of PHP. And if you are truly interested in improving upon the state of the art, then I would recommend checking out the password hashing competition. RE: Creating a secure hash? - Incisive - 01-24-2014 As the competition link shows, the top 3 methods are PBKDF2/RFC2898/PKCS #5, SCRYPT, and BCRYPT. For PBKDF2, use HMAC-SHA-512 as your hash algorithm, a per-user cryptographically random salt, and use tens of thousands of iterations. If you want to be even more advanced, use a per-user random number of iterations (for instance, when a user registers, store 64536 + RAND(32768) as the # of iterations, at the same time as you store their CRYTPO_RAND() generated salt). At least some PBKDF2(HMAC-SHA-512) test vectors are available at http://stackoverflow.com/questions/15593184/pbkdf2-hmac-sha-512-test-vectors Don't roll your own password hashing! |