Thanks a lot Hans for your great explanation about this type of passwords, salted passwords. I will google for that term, time-memory Tradeoff. Thanks one more time!! Miguel Guirao Servicios Datacard www.SIASA.com.mx -----Mensaje original----- De: Hans Lellelid [mailto:hans@xxxxxxxxx] Enviado el: Viernes, 11 de Junio de 2004 12:15 a.m. Para: Miguel Guirao CC: 'Justin Patrin'; php-db@xxxxxxxxxxxxx Asunto: Re: Re: Anyone using MSQL Server with PHP? Hi Miguel, I would also strongly suggest that you use a salted hash if you are concerned with security -- especially if that md5 could ever be compromised or pass in clear text over an internet connection. The md5() function in PHP produces unsalted hashes, which are fairly easy to crack. Unlike md5(), the PHP crypt() function will generate salted hashes. On my windows system it creates salted MD5 hashes (other operating systems may have other options like SHA1). A "salt" is essentially an additional random element that gets added into the password hash. This means that unlike md5() you will get a different hash each time you run crypt() on an identical string: crypt(hello) = $1$bJoW4DmS$GDNwsRSjd5rwkfra6KOh10 crypt(hello) = $1$DnL7LQXm$eioj87M92X3IQvoTEquY21 crypt(hello) = $1$h488/RAa$e8tA4K1hEuBBRnagJbBnV1 instead of: md5(hello) = 5d41402abc4b2a76b9719d911017c592 md5(hello) = 5d41402abc4b2a76b9719d911017c592 md5(hello) = 5d41402abc4b2a76b9719d911017c592 Why does this matter? Well, because of something called the time-memory tradeoff (try a google search to see the math behind this). The basic principle of the time-memory tradeoff is that you could either spend a long time trying to brute force each password hash or you could just spend time once creating really big (memory) tables that contain all the possibilities and then crack a hashed password in seconds. Of course the more complex the passwords you want to crack the longer it takes to build these tables (could be days, weeks, months, etc.), but the idea is that once you've built these tables it only takes a few seconds to crack any supported password. Time-memory tradeoff only works with unsalted passwords because these are 100% predicatble (hash of unsalted MD5 is always the same, as seen above). To check an entered password against the original when using salted hashes, you need to do something a little different: you have to pass the original encrypted password as the salt to the crypt() function (the crypt() function extracts the salt from the passed password and uses that same salt to encrypt the entered password). For example in PHP, check entered password against real password like this: if (crypt($entered_pw, $real_pw) == $real_pw) { // login success } Hope that helps. (Anyone, please correct any errors or misinformation above!) Hans Miguel Guirao wrote: > Thanks!! > > It Works out pretty nice!! > > Miguel Guirao > Servicios Datacard > www.SIASA.com.mx > > -----Mensaje original----- > De: Justin Patrin [mailto:papercrane@xxxxxxxxxxxxxxx] > Enviado el: Jueves, 10 de Junio de 2004 05:51 p.m. > Para: php-db@xxxxxxxxxxxxx > Asunto: Re: Anyone using MSQL Server with PHP? > > Miguel Guirao wrote: > > >>Hi!! >> >>Anybody here using PHP with SQL Server? I would like to use a similar >>function to password () from MySQL under SQL Server. >> >>Anybody knows of a similar function under SQL Server? >> >>Kind Regards, >> >>Miguel Guirao >>Servicios Datacard >>www.SIASA.com.mx >> >> > > > If it's for your app only, you could use md5() in PHP. > -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
