If you don’t know what hashing is in relation to coding, the long version is here: Cryptographic Hash Function but the short version is that it performs a mathermatical formula to components of the file, string or data, and returns a much shorter number with a slim chance of “collisions”.
I don’t know whether it’s immediately clear to anyone else, but I used to think this was a good idea.
<?php $password = sha1($_POST['password']);
Then I went to a PHPNW session, and asked someone to take a look at my code, and got a thorough drubbing for not adding a cryptographic salt (wikipedia).
For those who don’t know, a salt is a set of characters you add before or after the password (or both!) to make it so that a simple “rainbow table analysis” doesn’t work (essentially a brute-force attack against the authentication data by hashing lots and lots of strings looking for another hash which matches the stored hash). In order to make it possible to actually authenticate with that string again in the future, the string should be easily repeatable, and a way to do that is to use other data that’s already in the user record.
For example, this is a simple salt:
<?php
$password = sha1('salt' . $_POST['password']);
I read in the April 2012 edition of 2600 magazine something that I should have been doing with my hashes all along. How’s this for more secure code?
<?php
$site_salt = 'pepper';
$SQL = "SELECT intUserID FROM users WHERE strUsername = ?";
$DB = new PDO($dsn);
$query = $DB->prepare($SQL);
$query->execute(array(strtolower($_POST['username'])));
$userid = $query->fetch();
if ($userid == false) {
return false;
}
$prefix = '';
$suffix = '';
if ($userid % 2 == 0) {
$prefix = $site_salt;
} else {
$suffix = $site_salt;
}
if ($userid % 3 == 0) {
$prefix .= strtolower($_POST['username']);
} else {
$suffix .= strtolower($_POST['username']);
}
if ($userid % 4 == 0) {
$prefix = strrev($prefix);
}
if ($userid % 5 == 0) {
$suffix = strrev($suffix);
}
$hashedPassword = sha1($prefix . $_POST['password'] . $suffix);
So, this gives you an easily repeatable string, that’s relatively hard to calculate without easy access to the source code :)
