@SuperDragonia you have extra hyphens in there. Also, there appears to be a question mark after $hash= (when copied/pasted - you might want to check that out.) PM me if you need additional help!
To make it even more secure, I generate a new random salt for every password (using ASCII values from 33 to 126, which has a good number of special characters) and store it in the database. I generate a new salt every time the user is logging in, so the hash in the database is never the same.
To make the string shorter, you can pass everything into MD5, it won't be less secure and will use less space in the database, only 32 chars (useful if you have lot of members)
@HCkev wow that sounds like a pretty secure method, however i dont think anyone watching youtube tutorials about this will need that level of security (probably only large businesses / critical info), and takes a somewhat powerful server to handle that too. but thanks for the info, i'd love to try to build something like that one day.
I have a quick question. I am rather new to setting up php logins, and I was wondering if it would be possible to get a tutorial on actually placing the enc function into the login system. I think it would be good to see it in a real world application.
@BKoehler65 It's quite easy, you need to encode the password specified in the form, and compare it to the hashed password stored in the database. If the two hashes are not identical, then it's the wrong password.
can anyone make another script and use the same code as this but change it to decrypt it, Or is it made to only work with the current system your using
@computertrick Well, not really. It would take a lot of code to take a hashed string, run it through a function like this, and then get plain text from it. You would have to separate md5 from sha1 from the salts, which is near impossible. I dont think anyone could decrypt a has from this.
isn't that overkill? also, to be able to login you would compare that long hash to the given password, encrypted by ur enc and see if they match, right?
@RavenRof overkill? it just depends on the situation, but I wouldnt reccoment just using md5() or sha1() to store your passwords. And yes, you would use that same function to check the two hashes
@shanetalbert yeah, using just md5 or sha1 would be a bad idea. but SALTing a passphrase and md5'ing it would ruin all the rainbowtable cracking. And alot less cpu cycles i believe. So... md5("Strong Passwrod" . "S@LT||\|G") = done. What's your opinion on this?
@RavenRof Yeah that would work too, but could also be cracked (some rainbow tables have common salts added), If you want to make it simple & secure & fast, you could do something like md5("FIRSTSALT".$password."SALT2");
horray for notepad++. Also, this method would probably generate a lot of overhead on the server which is grounds for termination on a lot of hosts for excessive cpu usage. I recommend looking at a common software such as SMF for their functions toward password hashing. They generate a unique salt for every user and store them in the DB. They do use sha1 too.
@ranger135xp yeah I thought about that, but I havent found this to be a problem on any of my hosts yet. And it wouldnt be used that much, mostly for logins, not something that is constantly active
@shanetalbert well, if u got bigger it would become a problem. Actually, it may even become a problem with 3 or 4 people logging in at the same time which is more common than u may think.
@ranger135xp Yeah, but if you got bigger, you wouldnt be on some cheap shared server that can only handle a little load. Cheap or shared servers arent made to handle large sites
@shanetalbert not necessarily. Sites like Myspace and Facebook, no. But forums with over 2,000 members, hosts like Hostmonster can handle those and even have dedicated options. They seem to be one of the few best hosts around. I've been with them for years and when I call tech support I get an American in under 2 minutes.
@ranger135xp I added this into one of my forums (7000+ users) on a cheap shared server, and I barely noticed a difference in server load. These kinds of servers are fine for stuff like that, but when you have thousands of logins per minute, thats when you need a better server with more power.
What is the fault?
function enc($string){ $salt = "IkHoUvAnGoEdEVrIeNdEn12345678909887665432321"; $hash = sha1(md5($salt.$string)).$md5($string).sha1(md5(md5($string))); return $hash;
SuperDragonia 4 months ago
@SuperDragonia you have extra hyphens in there. Also, there appears to be a question mark after $hash= (when copied/pasted - you might want to check that out.) PM me if you need additional help!
shanetalbert 3 months ago
To make it even more secure, I generate a new random salt for every password (using ASCII values from 33 to 126, which has a good number of special characters) and store it in the database. I generate a new salt every time the user is logging in, so the hash in the database is never the same.
To make the string shorter, you can pass everything into MD5, it won't be less secure and will use less space in the database, only 32 chars (useful if you have lot of members)
HCkev 9 months ago
@HCkev wow that sounds like a pretty secure method, however i dont think anyone watching youtube tutorials about this will need that level of security (probably only large businesses / critical info), and takes a somewhat powerful server to handle that too. but thanks for the info, i'd love to try to build something like that one day.
shanetalbert 9 months ago
I have a quick question. I am rather new to setting up php logins, and I was wondering if it would be possible to get a tutorial on actually placing the enc function into the login system. I think it would be good to see it in a real world application.
BKoehler65 1 year ago
@BKoehler65 It's quite easy, you need to encode the password specified in the form, and compare it to the hashed password stored in the database. If the two hashes are not identical, then it's the wrong password.
HCkev 9 months ago
can anyone make another script and use the same code as this but change it to decrypt it, Or is it made to only work with the current system your using
computertrick 1 year ago
@computertrick Well, not really. It would take a lot of code to take a hashed string, run it through a function like this, and then get plain text from it. You would have to separate md5 from sha1 from the salts, which is near impossible. I dont think anyone could decrypt a has from this.
shanetalbert 1 year ago
isn't that overkill? also, to be able to login you would compare that long hash to the given password, encrypted by ur enc and see if they match, right?
RavenRof 1 year ago
@RavenRof overkill? it just depends on the situation, but I wouldnt reccoment just using md5() or sha1() to store your passwords. And yes, you would use that same function to check the two hashes
shanetalbert 1 year ago
@shanetalbert yeah, using just md5 or sha1 would be a bad idea. but SALTing a passphrase and md5'ing it would ruin all the rainbowtable cracking. And alot less cpu cycles i believe. So... md5("Strong Passwrod" . "S@LT||\|G") = done. What's your opinion on this?
RavenRof 1 year ago
@RavenRof Yeah that would work too, but could also be cracked (some rainbow tables have common salts added), If you want to make it simple & secure & fast, you could do something like md5("FIRSTSALT".$password."SALT2");
shanetalbert 1 year ago
horray for notepad++. Also, this method would probably generate a lot of overhead on the server which is grounds for termination on a lot of hosts for excessive cpu usage. I recommend looking at a common software such as SMF for their functions toward password hashing. They generate a unique salt for every user and store them in the DB. They do use sha1 too.
ranger135xp 1 year ago
@ranger135xp yeah I thought about that, but I havent found this to be a problem on any of my hosts yet. And it wouldnt be used that much, mostly for logins, not something that is constantly active
shanetalbert 1 year ago
@shanetalbert well, if u got bigger it would become a problem. Actually, it may even become a problem with 3 or 4 people logging in at the same time which is more common than u may think.
ranger135xp 1 year ago
@ranger135xp Yeah, but if you got bigger, you wouldnt be on some cheap shared server that can only handle a little load. Cheap or shared servers arent made to handle large sites
shanetalbert 1 year ago
@shanetalbert not necessarily. Sites like Myspace and Facebook, no. But forums with over 2,000 members, hosts like Hostmonster can handle those and even have dedicated options. They seem to be one of the few best hosts around. I've been with them for years and when I call tech support I get an American in under 2 minutes.
ranger135xp 1 year ago
@ranger135xp I added this into one of my forums (7000+ users) on a cheap shared server, and I barely noticed a difference in server load. These kinds of servers are fine for stuff like that, but when you have thousands of logins per minute, thats when you need a better server with more power.
shanetalbert 1 year ago