Re: Membership site

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I would like to add some info about storing the password hash in the database.

I recently tested how quickly one can brute force a simple md5('foo') hash with a modern GPU. The results have been truly eye opening.... I have been able to break hundreds of hashes with my ATI 6870 in a couple of days. Even with passwords in the 8 char length range ... and even salted ones.

The problem is that md5 is optimized for speed. Which is nice if you want to hash a file but it offers an attacker the option to brute force your password. The solution is to hash multiple times and if possible using a different hashing algorithm.
http://php.net/crypt can help you here.

I wrote a new password class for my own projects which will use crypt() with sha512, sha256, blowfish if available or fall back to a 3000 round md5(). This approach makes it impractical to bruteforce the hash because every single test will have to run md5() 3000 times before it can validate a single hash. This also adds a delay to the login process but the hash is only checked once....

The code is released under the BSD license so you may use it in a commercial application as well. The zip contains the class file and two sample pages demonstrating how to use the class.

Here is a download link, let me know if you like it or have any questions.

http://www.2shared.com/file/kocAJ2HO/class_password.html
md5: 4ee41496a9d1bc147e5025699e2b764e class_password.zip

--
John


--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux