php salt random password generation with md5
At present we are going to learn password hashing with random php string. Even we state this for PHP ,but this logic can be applied to any programming language. hashing means generating one way encrypting the given string, which is impossible to get the original string from the hash. this helps to prevent the brute force attaks. This hashing can be used not only password hashing ,it can be applied to user sensitive data .main goal for hashing a string is get uniqueness one data for given fixed lenngth string and generating at minimum time and miniumum application resources.
Why hashing a string or password?
for example we take the authentication system where we store the user name and password in plain format. when hacker get into our application got access to database, then he can see the user password. in this case not only hacker can see that passwords,but also other webmasters, coder,designer ..etc can also see the password.
<?php $username=$_POST['username']; $password=$_POST['password']; $result=mysql_query("INSERT INTO tbl_user (username,password) VALUES ('$username','$password')") ; /** sample tbl_user data *username , password *mahesh,mypassword1 *chari,password2 */ ?> |
So we must encrypt the password by using php famouse algorithms like md5,sha1..etc. for example.
<?php $username=$_POST['username']; $password=md5($_POST['password']); $result=mysql_query("INSERT INTO tbl_user (username,password) VALUES ('$username','$password')") ; /** sample tbl_user data *username , password *mahesh,0d28e4080dc8f64fc9603639bb7aa1b9 *chari,6cb75f652a9b52798eb6cf2201057c73 */ ?> |
With this method hacker who may access database can not gues the password, but he can know that password with brute force algorithms. This algorithm guess the key with all available alphabet combinations. like a,b,c,…..aa,ab,ac…aaa..aab…etc. So this is also use less or weak implementation of authentication.
Now we add a application secrete that can be called plain hash to user password and do the encrypt, now brute force attack takes much time compared to previous one, it is some what strong compared to other. but if the hacker get to know this secret it is make easy again.
<?php define('HASH','mysecretehash'); $username=$_POST['username']; $password=md5(HASH.$_POST['password']); $result=mysql_query("INSERT INTO tbl_user (username,password) VALUES ('$username','$password')") ; /** sample tbl_user data *username , password *mahesh,4e71c452f4aa24c19bf807a957986fc8 *chari,c645f52b2d8fcfc25e78ed73fc030bd3 */ ?> |
Since this plain salt is also weak, we generate a strong one that contains special symbols,numbers,capital letter,small letters and more lengthy and keep in mind that it wont take much time to encrypt and application resources.
Now we use salt with md5 ,then it get more strong.
<?php define('HASH',md5('mysecretehash')); $username=$_POST['username']; $password=md5(HASH.$_POST['password']); $result=mysql_query("INSERT INTO tbl_user (username,password) VALUES ('$username','$password')") ; /** sample tbl_user data *username , password *mahesh,4e71c452f4aa24c19bf807a957986fc8 *chari,c645f52b2d8fcfc25e78ed73fc030bd3 */ ?> |
Now even though above password is so strong but there is still a chance to know if attacker waits for a long time.
Now we use more customized salt generation for individual user liek , we combine user name also into salt.
<?php define('HASH',md5('mysecretehash')); $username=$_POST['username']; $password=md5($_POST['username'].HASH.$_POST['password']); $result=mysql_query("INSERT INTO tbl_user (username,password) VALUES ('$username','$password')") ; /** sample tbl_user data *username , password *mahesh,4e71c452f4aa24c19bf807a957986fc8 *chari,c645f52b2d8fcfc25e78ed73fc030bd3 */ ?> |
Now it is 98% is stronger than previous ones. remaining is there chance if attaker wait long time.
now we use individaul random salt that is totally unique for each user, so it become more powerfull and strong. now we deal with real solution with customized solution for each individual salt .
<?php //generate unique random string with given length function salt($length=6) { srand((double)microtime()*1000000); $randsymbols = "!@#$%^&*()_+=-';:,<.>`~?[]{}"; $randchar = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; $salt = array(); while($length > 0) { $str = $length%3==0 ? $randsymbols : $randchar; $salt[] = $str[rand() % strlen($str) - .04]; $length--; } shuffle($salt); mt_srand(); return(implode("", $salt)); } //hash the string with favorite encrypt algorithm, here i used md5, you can consider sha1 or else function password($str, $salt) { return md5(md5($str) . $salt); } ?> |
Now we have two functions one do gives unique string ,other do hashing the password. now we add one column to our tbl_user , called customsalt as varchar(45) , now we add the user to as below
<?php define('HASH',md5('mysecretehash')); $username=$_POST['username']; $customsalt=salt(3); $password=password($_POST['username'].HASH.$_POST['password'],$customsalt); $result=mysql_query("INSERT INTO tbl_user (username,password,customsalt) VALUES ('$username','$password','$customsalt')") ; /** sample tbl_user data *username , password,customsalt *mahesh,4e71c452f4aa24c19bf807a957986fc8,c645f52b2d8fcfc25e78ed73fc030bd3 *chari,c645f52b2d8fcfc25e78ed73fc030bd3,4e71c452f4aa24c19bf807a957986fc8 */ ?> |
Okay , now we consider fetching the user data and validating the user given user name and password for log in functionality.
<?php define('HASH',md5('mysecretehash')); $username=$_POST['username']; $password=$_POST['password']; $user=mysql_fetch_object(mysql_query("SELECT * FROM tbl_user WHERE username='$username'")); if($user){ $hashed=password($_POST['username'].HASH.$_POST['password'],$user->customsalt); if($hashed!==$user->password){ echo 'Invalid password.'; } } ?> |
Remember you must put your hash constant in non public directory and put that file into running script.
This is my idea only where i implemented on my projects , each developer has own methods as per their application level security level.