Yii Framework Forum: Alternative to sha1 / md5? - Yii Framework Forum

Jump to content

Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

Alternative to sha1 / md5? Rate Topic: -----

#1 User is offline   Giovanni D. 

  • Standard Member
  • PipPip
  • Yii
  • Group: Members
  • Posts: 225
  • Joined: 23-December 08
  • Location:London (UK)

Posted 14 August 2009 - 10:25 AM

As stated in the mysql manual:

Quote

Exploits for the MD5 and SHA-1 algorithms have become known. You may wish to consider using one of the other encryption functions described in this section instead.


So.. what do you use/prefer? I mean, mainly for store user passwords and manage user auth.

sha256? or what?

bye,
Giovanni.
Yii Playground: collaborative demo app with small examples to play with.. join us ;) [Fork on github]

>> My Linkedin Profile
0

#2 User is offline   sidewinder 

  • Standard Member
  • PipPip
  • Yii
  • Group: Members
  • Posts: 208
  • Joined: 08-July 09
  • Location:Poland

Posted 14 August 2009 - 11:20 AM

I use sha1 combined with static and dynamic salt to store passwords in db. Both salts are 64 char long.
You can find more about salts here
---------------------------------------------------------------------
"Never memorize what you can look up in books."
Albert Einstein
0

#3 User is offline   pestaa 

  • past Yii dev member
  • PipPipPipPip
  • Yii
  • Group: Members
  • Posts: 705
  • Joined: 07-May 09
  • Location:Hungary

Posted 14 August 2009 - 12:30 PM

Whirlpool. 512 bytes.
0

#4 User is offline   sebi 

  • Junior Member
  • Pip
  • Yii
  • Group: Members
  • Posts: 65
  • Joined: 06-October 08

Posted 14 August 2009 - 10:47 PM

sha256 + salt
0

#5 User is offline   Nemoden 

  • Junior Member
  • Pip
  • Yii
  • Group: Members
  • Posts: 68
  • Joined: 14-March 09
  • Location:Vancouver, Canada

Posted 15 August 2009 - 11:38 AM

I've invented my own :))
(not for share... sorry :) ).
No brain - no pain.
My twitter :D
0

#6 User is offline   pestaa 

  • past Yii dev member
  • PipPipPipPip
  • Yii
  • Group: Members
  • Posts: 705
  • Joined: 07-May 09
  • Location:Hungary

Posted 17 August 2009 - 10:39 AM

View PostWebShark, on 15 August 2009 - 11:38 AM, said:

I've invented my own :))

I'm not sure if there's any safer method than the unknown method. :)
0

#7 User is offline   ekerazha 

  • Advanced Member
  • PipPipPip
  • Yii
  • Group: Members
  • Posts: 525
  • Joined: 10-October 08
  • Location:European Union

Posted 17 August 2009 - 12:24 PM

sha256, sha384, sha512, ripemd160, ripemd320, whirlpool

Maybe sha256 is the best compromise between security and performances, I love whirlpool but it's slower and it takes the double of the space (length is 256 vs 512).
Yii user #37
0

#8 User is offline   Giovanni D. 

  • Standard Member
  • PipPip
  • Yii
  • Group: Members
  • Posts: 225
  • Joined: 23-December 08
  • Location:London (UK)

Posted 20 August 2009 - 03:38 AM

View Postsebi, on 14 August 2009 - 10:47 PM, said:

sha256 + salt


thanks to all for you replies.. I think I'll go for this one ;)

Want to post a couple of links as a reference:
http://www.wobito.ca...ords-using-salt
http://www.php.net/m....hash-algos.php
http://www.php.net/m...nction.hash.php


I'm not very convinced about using dynamic salt as if a user is able to read your salt then it is probably able to read the code you used to get the dynamic salt.. ::)

bye,
Giovanni.
Yii Playground: collaborative demo app with small examples to play with.. join us ;) [Fork on github]

>> My Linkedin Profile
0

#9 User is offline   Yarrgh 

  • Newbie
  • Yii
  • Group: Members
  • Posts: 2
  • Joined: 28-July 09

Posted 23 August 2009 - 02:30 PM

Well if you combien this:

<?
$staticKey = 'qFn9/ASjCowjMXd/Y+H8UUQ+ht6QYdL7wYbGRqg0SuY=';
$userPass = 'mickeymouse';
$dynamicPass = 'uWJgN9/5X8AXa5YAibXvqA==';
$tmpPass = $staticKey.$userPass.$dynamicPass;
$finalPass = sha1($tmpPass);
?>


with a comment on php's website :

<?php

function doubleSalt($toHash,$username){
$password = str_split($toHash,(strlen($toHash)/2)+1);
var_dump($password);
$hash = hash('md5', $username.$password[0].'centerSalt'.$password[1]);
return $hash;
}

?> 


You'll get something like this:

<?php

$staticKey = 'qFn9/ASjCowjMXd/Y+H8UUQ+ht6QYdL7wYbGRqg0SuY=';
$userPass = sha256('mickeymouse');
$dynamicPass = 'uWJgN9/5X8AXa5YAibXvqA==';

$password = str_split($userPass,(strlen($userPass)/2)+1);

$finalPass = sha256($staticKey.$password[0].$dynamicPass.$password[1]);

?>


I like this way better myself.
0

Share this topic:


Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users