ButtLord420
Please delete my devbest account.
- Dec 11, 2010
- 463
- 32
REMOVED.
Last edited:
REMOVED.
- Thread starter ButtLord420
- Start date
Ecko
23:37 [autobots] -!- eckostylez [[email protected]]
- Nov 25, 2012
- 1,399
- 962
if using php 5.5:
otherwise use bcrypt (if u need an example lmk)
You must be registered for see links
otherwise use bcrypt (if u need an example lmk)
ButtLord420
Please delete my devbest account.
- Dec 11, 2010
- 463
- 32
- Thread starter
- #3
Thanks, Could I please get an example?
Ecko
23:37 [autobots] -!- eckostylez [[email protected]]
- Nov 25, 2012
- 1,399
- 962
note u should be using php 5.3 or above
PHP:
class bcrypt {
private static $algorithm = '$2y$';
private static $cost = '10';
// check if bcrypt() is usable
public static function isAvailable() {
return defined('CRYPT_BLOWFISH') && CRYPT_BLOWFISH;
}
public static function salt() {
if (function_exists('openssl_random_pseudo_bytes'))
return substr(strtr(base64_encode(openssl_random_pseudo_bytes(22)), '+', '.'), 0, 22);
else
return substr(strtr(base64_encode(mt_rand()), '+', '.'), 0, 22);
}
// let's hash
public static function hash($password) {
// bcrypt algorithm depending on PHP version
if (version_compare(PHP_VERSION, '5.3.7', '<'))
self::$algorithm = '$2a$';
return crypt($password, self::$algorithm . self::$cost . '$' . self::salt());
}
// check password against hash
public static function checkPassword($hash, $password) {
$new_hash = crypt($password, $hash);
return ($hash == $new_hash);
}
}now check $password (based on $_POST input):
PHP:
if (bcrypt::checkPassword($hashFromDatabase, $password))
echo 'Password correct';
else
echo 'Password incorrect';
- Dec 18, 2010
- 2,639
- 2,397
Trying to make your own hashes is pretty bad in my opinion, even if you use PHP's built in functions, there will always be a way around it.
Personally, if you're going to be hashing passwords I wouldn't be storing them in the database, I'd use Facebook and/or Twitter's APIs and let them do all the work by allowing people to sign up/log in with their Facebook and twitter accounts
Leave the cryptography to the professional cryptographers unless you're confident enough.
Personally, if you're going to be hashing passwords I wouldn't be storing them in the database, I'd use Facebook and/or Twitter's APIs and let them do all the work by allowing people to sign up/log in with their Facebook and twitter accounts
Leave the cryptography to the professional cryptographers unless you're confident enough.
Ecko
23:37 [autobots] -!- eckostylez [[email protected]]
- Nov 25, 2012
- 1,399
- 962
There is nothing wrong with using bcrypt (which PHP 5.5 does with the password_hash() function). bcrypt is 10,000x slower than sha1 and as long as you do not use a fixed salt you will be fine (it's actually better to let the salt be generated by random noise from the OS). Even if processors get stronger, bcrypt has a cost parameter to internally hash the password x amount of times.
As far as using Facebook/Twitter's API, that's fine but you should also keep in mind they are prime targets for potential hackers. Relying on a secondary source to maintain the security of your application is not very smart.
