Thanks a lot Hans for your great explanation about this type of
passwords, salted passwords. I will google for that term, time-memory 
Tradeoff.

Thanks one more time!!

Miguel Guirao
Servicios Datacard
www.SIASA.com.mx

-----Mensaje original-----
De: Hans Lellelid [mailto:[EMAIL PROTECTED] 
Enviado el: Viernes, 11 de Junio de 2004 12:15 a.m.
Para: Miguel Guirao
CC: 'Justin Patrin'; [EMAIL PROTECTED]
Asunto: Re: [PHP-DB] Re: Anyone using MSQL Server with PHP?

Hi Miguel,

I would also strongly suggest that you use a salted hash if you are 
concerned with security -- especially if that md5 could ever be 
compromised or pass in clear text over an internet connection.  The 
md5() function in PHP produces unsalted hashes, which are fairly easy to

crack.

Unlike md5(), the PHP crypt() function will generate salted hashes.  On 
my windows system it creates salted MD5 hashes (other operating systems 
may have other options like SHA1).  A "salt" is essentially an 
additional random element that gets added into the password hash.  This 
means that unlike md5() you will get a different hash each time you run 
crypt() on an identical string:

crypt(hello) = $1$bJoW4DmS$GDNwsRSjd5rwkfra6KOh10
crypt(hello) = $1$DnL7LQXm$eioj87M92X3IQvoTEquY21
crypt(hello) = $1$h488/RAa$e8tA4K1hEuBBRnagJbBnV1

instead of:

md5(hello) = 5d41402abc4b2a76b9719d911017c592
md5(hello) = 5d41402abc4b2a76b9719d911017c592
md5(hello) = 5d41402abc4b2a76b9719d911017c592

Why does this matter?  Well, because of something called the time-memory

tradeoff (try a google search to see the math behind this).  The basic 
principle of the time-memory tradeoff is that you could either spend a 
long time trying to brute force each password hash or you could just 
spend time once creating really big (memory) tables that contain all the

possibilities and then crack a hashed password in seconds.  Of course 
the more complex the passwords you want to crack the longer it takes to 
build these tables (could be days, weeks, months, etc.), but the idea is

that once you've built these tables it only takes a few seconds to crack

any supported password.  Time-memory tradeoff only works with unsalted 
passwords because these are 100% predicatble (hash of unsalted MD5 is 
always the same, as seen above).

To check an entered password against the original when using salted 
hashes, you need to do something a little different: you have to pass 
the original encrypted password as the salt to the crypt() function (the

crypt() function extracts the salt from the passed password and uses 
that same salt to encrypt the entered password).

For example in PHP, check entered password against real password like
this:

if (crypt($entered_pw, $real_pw) == $real_pw) {
   // login success
}

Hope that helps.  (Anyone, please correct any errors or misinformation 
above!)

Hans

Miguel Guirao wrote:
> Thanks!!
> 
> It Works out pretty nice!!
> 
> Miguel Guirao
> Servicios Datacard
> www.SIASA.com.mx
> 
> -----Mensaje original-----
> De: Justin Patrin [mailto:[EMAIL PROTECTED] 
> Enviado el: Jueves, 10 de Junio de 2004 05:51 p.m.
> Para: [EMAIL PROTECTED]
> Asunto: [PHP-DB] Re: Anyone using MSQL Server with PHP?
> 
> Miguel Guirao wrote:
> 
> 
>>Hi!!
>> 
>>Anybody here using PHP with SQL Server? I would like to use a similar
>>function to password () from MySQL under SQL Server.
>> 
>>Anybody knows of a similar function under SQL Server?
>> 
>>Kind Regards,
>> 
>>Miguel Guirao
>>Servicios Datacard
>>www.SIASA.com.mx
>> 
>>
> 
> 
> If it's for your app only, you could use md5() in PHP.
> 

-- 
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

-- 
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to