asked on
PHP 5.3.3. Crypt function
I am trying to create an authentication mechanism using the crypt funtion.
In the php.net it says the following example:
<?php
$hashed_password = crypt('mypassword'); // let the salt be automatically generated
if (crypt($user_input, $hashed_password) == $hashed_password) {
echo "Password verified!";
}
?>
My assumption that you will generate the hashed password in the first command, and later you retrieve it from a db and use the second command to verify it, but that doesn't work, but furthermore even the script as above did not work with me as every time the crypt is running it generates a different hash because it is using a randomly generated salt.
So instead I found this script is working with me:
<?php
$hashed_password = crypt('mypassword',$salt);
if (crypt($user_input, $salt) == $hashed_password) {
echo "Password verified!";
}
?>
My question is me understanding is correct? or I am misusing the function which might cause a security hole in my mechanism?
In the php.net it says the following example:
<?php
$hashed_password = crypt('mypassword'); // let the salt be automatically generated
if (crypt($user_input, $hashed_password) == $hashed_password) {
echo "Password verified!";
}
?>
My assumption that you will generate the hashed password in the first command, and later you retrieve it from a db and use the second command to verify it, but that doesn't work, but furthermore even the script as above did not work with me as every time the crypt is running it generates a different hash because it is using a randomly generated salt.
So instead I found this script is working with me:
<?php
$hashed_password = crypt('mypassword',$salt);
if (crypt($user_input, $salt) == $hashed_password) {
echo "Password verified!";
}
?>
My question is me understanding is correct? or I am misusing the function which might cause a security hole in my mechanism?
PHPWeb Languages and StandardsSecurity
Last Comment
arnold
SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
Hi Dave thanks, I was planning to use the password_hash but it is not available in my php5.3.3 also I tried to upgrade to 5.5 to use this feature but 5.5 is not available on the standard centos repository yet and I'm not so much in favor for this upgrade yet not to mess with the othe php plugins , so I used crypt.
Hi Arnold, thanks for the explanation but I am really trying to store the password in hash format and then retrieve and compare it with the user input, but my problem that crypt ($ user_input,$ hashed_pass) will never give a value of $ hashed_pass where in my case the $ user_input is the flat inpu to of the user comming from the login form and $ hashed_pass is the initial hashed password stored in the db, and I don't know why, however the only thing I noticed that crypt ("my_password") is always giving different value unless you use with it the salt, what do you think? , by the way I am using pgdb.
Hi Arnold, thanks for the explanation but I am really trying to store the password in hash format and then retrieve and compare it with the user input, but my problem that crypt ($ user_input,$ hashed_pass) will never give a value of $ hashed_pass where in my case the $ user_input is the flat inpu to of the user comming from the login form and $ hashed_pass is the initial hashed password stored in the db, and I don't know why, however the only thing I noticed that crypt ("my_password") is always giving different value unless you use with it the salt, what do you think? , by the way I am using pgdb.
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
Thanks Ray, you are always providing great support, but I can see from script that this is a 2 way encryption, and not like hashing which can not be decoded, don't you think that this is a little bit unsecured? what do you advise?
Security is a relative term. If you want my take on it, you can find a discussion at the end of this article. Search the text for "An Afterword: About Storing Passwords"
https://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_2391-PHP-login-logout-and-easy-access-control.html
As we have now learned from the RSA disclosures, encryption of the sort used to protect internet messages was deliberately crippled by RSA in exchange for payments from the US Government. I don't think you can ever reach a state that implies "completely secure." Best practices are promulgated through OWASP. This is good: https://www.owasp.org/index.php/Top_10_2013-Top_10
https://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_2391-PHP-login-logout-and-easy-access-control.html
As we have now learned from the RSA disclosures, encryption of the sort used to protect internet messages was deliberately crippled by RSA in exchange for payments from the US Government. I don't think you can ever reach a state that implies "completely secure." Best practices are promulgated through OWASP. This is good: https://www.owasp.org/index.php/Top_10_2013-Top_10
In the category of "security by obscurity" this looks interesting.
http://www.php.net/manual/en/function.base64-encode.php#85831
Perhaps a red-herring could be added to any encrypted data string, much like a "salt" can be added to the md5() string.
http://www.php.net/manual/en/function.base64-encode.php#85831
Perhaps a red-herring could be added to any encrypted data string, much like a "salt" can be added to the md5() string.
ASKER
Thanks for your support that was extremely helpful issue solved as usual :-)
Thanks for using EE! ~Ray
Your PHP code was rehashing a password.
crypt 's salt can be new or the hashed password, the only issue crypt may have a different order of (salt, password) or (password,salt)
the two first characters in the response will tell you whether, as I have before, placed the items in the wrong order.
you only posted the code for php handling, so I have no idea what was going wrong.
what characters are you allowing in the password? the mysql_real_escape.. would encode different characters
in future debug, out put the data to screen this way you can see what is going on with php processing.
i.e. an example of a person's password was sfdde3$d% after the real_escape it turned up as "sfdde3\$\%"
if you then rehash it, it may deviate from the entered password hash.
crypt 's salt can be new or the hashed password, the only issue crypt may have a different order of (salt, password) or (password,salt)
the two first characters in the response will tell you whether, as I have before, placed the items in the wrong order.
you only posted the code for php handling, so I have no idea what was going wrong.
what characters are you allowing in the password? the mysql_real_escape.. would encode different characters
in future debug, out put the data to screen this way you can see what is going on with php processing.
i.e. an example of a person's password was sfdde3$d% after the real_escape it turned up as "sfdde3\$\%"
if you then rehash it, it may deviate from the entered password hash.
You seem in your initial part rehashing presumably the stored hashed password which is the reason it did not work.
The other option is to rely on the encryption mechanisms that exist in the database server.
The second option means the password is stored in plain text within the database.
To illustrate the first option. During account creation/password changes
You would hash the password and then write the result into the database.
When a user attempts to login, you would retrieve the hashed password from the database and then within php and your comparison will be to compare $database_hashed_password == crypt($userprovidedpasswor
If you use mysql you can validate via a single select
I.e. If a record is returned the info provided was correct. ( you use the mysql_real_escape_string()
select * from list_users where username=$username and password=PASSWORD($user_pr
http://dev.mysql.com/doc/refman/5.5/en/encryption-functions.html