Securing Logins

This all started when I came to know that my linkedin password was hacked, being a developer i knew few ways to secure/encrypt my password. Most of the noob developers use md5 or hash. I kept thinking but never got time to google it up. But one of my developer friend from Egypt shared a link with me on twitter. I read and asked several dumb question to the auther, you can see few comments by name "bluepiccaso" that is me.

here is bit shorter and exact working for securing your passwords. Please note that this will not a 100% solution for securing your passwords but its good.

Lets take an example

$actualPassword  = 123456

$securePassword = md5($actualPassword); // which is  e10adc3949ba59abbe56e057f20f883e

The trick is to hash a password not just time but multiple times. just to make you understand here is a quick example

$pwd = 123456; 

for($x=1;$x<=1000;$x++) {    

$pwd = md5($pwd);  

}   

echo $pwd;// 66eccf32c43c345b4e4b88bd529dc384

As seen the result would be "66eccf32c43c345b4e4b88bd529dc384" that is equals to the 1000 times hashed password, The more the number the better is the security and it gets harder to crack it.

A password hacker would simply run number of test on each password to decrypt it. At that time that password that has long algorithm containing numerous amounts of looped hashes would take lot of time to decrypt.

you might be thinking what can we do for this, we cant just run "for" loops for every password, then we have to do it twice everytime when saving it and matching it to a record.


The solution i found was using CRYPT(). The php crypt() function simply encrypts your password.

here is simple example(as from the article linked above)

 // You would of course, get this from $_POST['Password'] or similar when registering an account, or changing a password. 

$Password = 'MySuperSecretPassword123'; 

$HashedPassword = crypt($Password); 

echo "We've generated a new hashed password of: {$HashedPassword}, from {$Password}."; 

// that would echo

/* We've generated a new hashed password of:

$6$tuGPKBZX$eRY4lydz6jUzVPVDZYz3M/JIiEyqqgfDd7MgpkByvtyPuDdZDYE9AVYF1u9ND6zdrJvCOwLEmsIQ4g64/GMQi0, 

from MySuperSecretPassword123.*/

But now, where is the security?, how do i know how much times has it hashed the password.

the crypt function takes one more optional parameter: a salt string to base its hashing on.

here's how

$Password = 'SuperSecurePassword123';

// These only work for CRYPT_SHA512, but it should give you an idea of how crypt() works. 

$Salt = uniqid(); // Could use the second parameter to give it more entropy. 

$Algo = '6'; // This is CRYPT_SHA512 as shown on http://php.net/crypt

$Rounds = '5000'; // The more, the more secure it is! 

// This is the "salt" string we give to crypt(). 

$CryptSalt = '$' . $Algo . '$rounds=' . $Rounds . '$' . $Salt; 

$HashedPassword = crypt($Password, $CryptSalt); echo "Generated a hashed password: " .$HashedPassword . "\n";

/* As seen above the $rounds is the value of number of times the password should be hashed.

$Algo is 6 i.e. "$6$" for sah512, u can use 1 for md5 */

Authenticating users

So how do you really us the code above.

here is the explaination

when user registers with a password

$Password = ‘SuperSecurePassword123′;

what you can do is

$Salt = uniqid();

$Algo = ’6′;

$Rounds = ’5000′;

$CryptSalt = ‘$’ . $Algo . ‘$rounds=’ . $Rounds . ‘$’ . $Salt;

$HashedPassword = crypt($Password, $CryptSalt);

and save the $Hashed Password to database field.

while doing the login you would simply check its as

if (crypt($Password, $HashedPassword) == $HashedPassword)

/* where $Password is the password that user used in the Login password field and 

$HashedPassword is fetched from database to its corresponding username or email(what ever you 

use for the login credentials)*/

In the code above

if (crypt($Password, $HashedPassword) == $HashedPassword)

do not get confused, the crypt would return the same hash code for which i was created.

here is another sample code to test this

$Password1 = 'WrongPassword';

$Password2 = 'SuperSecurePassword123';

$HashedPassword = '$6$rounds=5000$4d2c68c2ef979$PZTAkwfvCZN0nT4La/0eNNKLt43w1B7DUkFNc9t1bnOG0OJRESnDa1E1H812TZ3CiBqd2qrcFrz2pk/kqpAy3/'; 

// the hash created for $password2

// Now, what about checking if a password is the right password?

if (crypt($Password1, $HashedPassword) == $HashedPassword) {

    echo "Hashed Password matched Password1";

} else {

    echo "Hashed Password didn't match Password1";

}

if (crypt($Password2, $HashedPassword) == $HashedPassword) {

        echo "Hashed Password matched Password2";

} else {

        echo "Hashed Password didn't match Password2";

}

copy paste this simple code and enjoy.

I hope this helps loads of new developer who seek knowledge.

below are some links to related articles

Php Crypt

##php Clone of Ptacek’s Article on Hashing

PHP Security Consortium Article

sha512 algo

comments and feedbacks are welcomed

thank you