Hi Miguel,

I would also strongly suggest that you use a salted hash if you are concerned with security -- especially if that md5 could ever be compromised or pass in clear text over an internet connection. The md5() function in PHP produces unsalted hashes, which are fairly easy to crack.

Unlike md5(), the PHP crypt() function will generate salted hashes. On my windows system it creates salted MD5 hashes (other operating systems may have other options like SHA1). A "salt" is essentially an additional random element that gets added into the password hash. This means that unlike md5() you will get a different hash each time you run crypt() on an identical string:

crypt(hello) = $1$bJoW4DmS$GDNwsRSjd5rwkfra6KOh10
crypt(hello) = $1$DnL7LQXm$eioj87M92X3IQvoTEquY21
crypt(hello) = $1$h488/RAa$e8tA4K1hEuBBRnagJbBnV1

instead of:

md5(hello) = 5d41402abc4b2a76b9719d911017c592
md5(hello) = 5d41402abc4b2a76b9719d911017c592
md5(hello) = 5d41402abc4b2a76b9719d911017c592

Why does this matter? Well, because of something called the time-memory tradeoff (try a google search to see the math behind this). The basic principle of the time-memory tradeoff is that you could either spend a long time trying to brute force each password hash or you could just spend time once creating really big (memory) tables that contain all the possibilities and then crack a hashed password in seconds. Of course the more complex the passwords you want to crack the longer it takes to build these tables (could be days, weeks, months, etc.), but the idea is that once you've built these tables it only takes a few seconds to crack any supported password. Time-memory tradeoff only works with unsalted passwords because these are 100% predicatble (hash of unsalted MD5 is always the same, as seen above).

To check an entered password against the original when using salted hashes, you need to do something a little different: you have to pass the original encrypted password as the salt to the crypt() function (the crypt() function extracts the salt from the passed password and uses that same salt to encrypt the entered password).

For example in PHP, check entered password against real password like this:

if (crypt($entered_pw, $real_pw) == $real_pw) {
  // login success

Hope that helps. (Anyone, please correct any errors or misinformation above!)


Miguel Guirao wrote:

It Works out pretty nice!!

Miguel Guirao
Servicios Datacard

-----Mensaje original-----
De: Justin Patrin [mailto:[EMAIL PROTECTED] Enviado el: Jueves, 10 de Junio de 2004 05:51 p.m.
Asunto: [PHP-DB] Re: Anyone using MSQL Server with PHP?

Miguel Guirao wrote:


Anybody here using PHP with SQL Server? I would like to use a similar
function to password () from MySQL under SQL Server.

Anybody knows of a similar function under SQL Server?

Kind Regards,

Miguel Guirao
Servicios Datacard

If it's for your app only, you could use md5() in PHP.

-- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to