Re: Membership site

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Just as a word of caution to everyone on this list, mcrypt version of
blowfish (which is implemented by php) (in linux) has an 8bit bug in it, and
thus should not be used for hashing passwords even as backup. Basically if
you use a character such as say a British pound in your password, blowfish
with php will generate, a wrong hash and allow for some extensive
collisions. For example a hash for "ac" followed by a pound or euro or any
of those extended chars (that are present on European keyboards and such)
and a hash for just that char, would be the same! If you want I can show you
with some demo code. But until fixed, don't use blowfish with php on linux
at least, if you can.
On Jul 28, 2011 5:14 AM, "John Black" <spam@xxxxxxxxxxxxxxxxxxxxxxxx> wrote:
> I would like to add some info about storing the password hash in the
> database.
>
> I recently tested how quickly one can brute force a simple md5('foo')
> hash with a modern GPU. The results have been truly eye opening....
> I have been able to break hundreds of hashes with my ATI 6870 in a
> couple of days. Even with passwords in the 8 char length range ... and
> even salted ones.
>
> The problem is that md5 is optimized for speed. Which is nice if you
> want to hash a file but it offers an attacker the option to brute force
> your password.
> The solution is to hash multiple times and if possible using a different
> hashing algorithm.
> http://php.net/crypt can help you here.
>
> I wrote a new password class for my own projects which will use crypt()
> with sha512, sha256, blowfish if available or fall back to a 3000 round
> md5().
> This approach makes it impractical to bruteforce the hash because every
> single test will have to run md5() 3000 times before it can validate a
> single hash.
> This also adds a delay to the login process but the hash is only checked
> once....
>
> The code is released under the BSD license so you may use it in a
> commercial application as well. The zip contains the class file and two
> sample pages demonstrating how to use the class.
>
> Here is a download link, let me know if you like it or have any questions.
>
> http://www.2shared.com/file/kocAJ2HO/class_password.html
> md5: 4ee41496a9d1bc147e5025699e2b764e class_password.zip
>
> --
> John
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux