DooPHP

[tripbr]

Hello guyz!

This is the little code that I made for hashing passwords for store in db.

Code: Select all

<?php

class PasswordHash {

    //Edit this salt value whit your own random salt
    private static $salt = 'IAS(2801idji1dj-3idhJOHCJUH#&DF!)*@_DOIJKDJAEKDJFO';

    public static function hash($password, $iterates = 10, $method = 'sha512', $compress = true, $compressMethod = 'md5') {
        if ($compress) {
            return hash($compressMethod, self::blow($password, $iterates, $method));
        } else {
            return self::blow($password, $iterates, $method);
        }
    }

    public static function check($password, $hash, $method = 'sha512', $iterates = 10, $compress = true, $compressMethod = 'md5') {
        if($compress){
            if(hash($compressMethod, self::blow($password, $iterates, $method)) != $hash){
                return false;
            }
        } else {
            if(self::blow($password, $iterates, $method) != $hash){
                return false;
            }
        }
    }

    protected static function blow($password, $iterates, $method) {
        for ($i = 0; $i <= $iterates; $i++) {
            $output = hash($method, isset($output) ? $password . self::$salt . $output : $password . self::$salt);
        }
        return $output;
    }

}

You can save this code on your class folder. Now you can use the code:

Code: Select all

Doo::loadClass('PasswordHash');
$hash = PasswordHash::hash('some_password');
//Now is safe to store $hash in you db

if(!PasswordHash::check('some_passoword', 'db_stored_hash')){
          echo 'You have entered the wrong password!';
}


That's it!
Hope you guyz like this little code!

[RichardM]

Hi,

Just a couple of thoughts/notes. Hope you don't mind

1) why is the class extending DooController? Classes in class/ should not really extend DooController as extensions of DooController should be for actual controllers within your app(s). Also I do not think you use any of the actual DooController methods simply use

Code: Select all

class PasswordHash {


2) those usinging this class should enter there own random salt and not just copy and pastenthe example salt provided.


Richard

[tripbr]

Hey Richard! You are right!
I had made some changes to the post.

I think that whit the actual process power, it's impossible to break this hash and get the password...

[vcardins]

Hi Tripbr,

I avoid submitting passwords as plain text so I encrypt it using MD5 with Javascript and the process on the server side.
I'm not really sure what is the best security practice on this, so could you please share your thoughts ?

[RichardM]

I avoid submitting passwords as plain text so I encrypt it using MD5 with Javascript and the process on the server side.

Does this not beat the point? If you send the hash key in plain text someone only need send this back in clear text to your app? In other words the hash is the same as the password?

You would be better off using SSL to send the password over the internet to keep things secure.


Richard

[roman]

A solution offered at http://phpsec.org/articles/2005/password-hashing.html seems better.

[RichardM]

Hmm...I might be missing something here but I think the issue in question is sending the password between the end user and your server as basic authentication sends this in clear text over the internet. The methods in the page you have sent I think relate to the storage of the passwords on the server. The password would still be sent in clear text.

A salt value is used in some of the functions of DooPHP already


Richard

[roman]

I was replying to the original poster in this thread. He is not the one who suggested sending a hash from the browser to the server.