PHP Classes

Secure Password: Generating and check password hashes

Recommend this page to a friend!
  Info   View files Example   View files View files (3)   DownloadInstall with Composer Download .zip   Reputation   Support forum (2)   Blog    
Ratings Unique User Downloads Download Rankings
StarStarStar 59%Total: 1,023 All time: 3,584 This week: 153Up
Version License PHP version Categories
securepassword 1.2GNU General Publi...5.6Cryptography
Description 

Author

This class can be used to generate password hashes and check whether a given password matches an hash.

The class generates an hash for a password using a random salt of a given length. The hash is generated using the SHA1 algorithm appended to the salt string.

The class can also check whether a password matches a given hash. It applies the same method retrieving the salt for the hash string.

Picture of Rupom Razzaque
  Performance   Level  
Name: Rupom Razzaque is available for providing paid consulting. Contact Rupom Razzaque .
Classes: 12 packages by
Country: Bangladesh Bangladesh
Age: 42
All time rank: 171 in Bangladesh Bangladesh
Week rank: 50 Down1 in Bangladesh Bangladesh Equal
Innovation award
Innovation award
Nominee: 1x

Winner: 1x

Example

<?php
/**
* Class : Secure Password
*
* @PHPVER : 5.0
* @author : MA Razzaque Rupom <rupom_315@yahoo.com>, <rupom.bd@gmail.com>
* Moderator, phpResource (http://groups.yahoo.com/group/phpresource/)
* URL: http://www.rupom.info
*
* @version : 1.0
* Date : 05/23/2006
* Purpose : Generating and Matching Secure and Strong Password
*/

require_once "SecurePassword.class.php";

$obj = new SecurePassword();
$obj->initSalt();
$password = 'abcd'; //password
$hash = $obj->generatePasswordHash($password); //hash created

//Matching results true if this $hash is for this $password
if($obj->matchPassword($password, $hash)) //match password by the hash
{
   echo
"<br>YES, Matched";
}
else
{
   echo
"<br>No, Wrong Password";
}

//Try with wrong password
$wrongPassword = 'asdf';

if(
$obj->matchPassword($wrongPassword, $hash)) //match password by the hash
{
   echo
"<br>YES, Matched";
}
else
{
   echo
"<br>No, Wrong Password";
}

/*
//Hash from DB

//DB Connection
mysql_connect("localhost","root","");
mysql_select_db("test");

$sourceTable = 'users';

$q = "SELECT password FROM $sourceTable where name='rupom'";
$res = mysql_query($q);
    
if(mysql_num_rows($res))
{
   while($row = mysql_fetch_array($res))
   {
         $hash = $row['password'];
         break;
   }
}

if($obj->matchPassword($password, $hash)) //match password by the hash
{
   echo "<br>YES, Matched";
}
else
{
   echo "<br>No, Wrong Password";
}
*/
?>


Details

Class : SecurePassword ============================================================================================= This technique of generating password hash (or password digest) generates strong hash of plain text password. And for authentication, it matches a generated hash with a plain password. Modern computers can generate both md5() and sha1() very quickly, thousands per seconds. Thus generating hashes and matching with existing hashes (for hacking) is easy. The present technique implements a kind of hashing that makes strong salt, decodes that and makes hash with that decoded salt and the given password. It gives a variable length strong hash that makes attackers' job tough. Description: This technique - 1. Creates strong salt of given length 2. Makes that salt more strong by decoding it to binary data 3. Creates hash appending that salt to the output of secure hash algorithm - 1 (sha1)generated hash. Parameter of SHA1 in this case is (decoded salt + plainpassword) 4. In matching a password with a stored hash, (i) The salt is extracted from given/stored hash and decoded first (ii) Then sha1() is implemented on that salt + plain password (iii) Then this hash is compared with the sha1() generated-hash portion of given/stored hash Strength : 1. If no parameter is given, initSalt() generates random salt that eventually generates random password hash for the same plain password. 2. When password characters are only plaintext, attackers' job is easy. Use of base64_decode() helps this technique generate more strong password since the hash contains binary data. 3. Changing the length of salt (saltLength), you can generate password of variable lengths(upto 70 characters). This strengthens the password and makes attackers' job tough. And Me: I am a hardcore C/C++ and PHP programmer. I enjoy my times in implementing varities of freelancing works. In doing many kind of web works, I experienced some securiy issues and hence thought this technique. Then I designed and implemented this technique. Please rate this class if you like and if it comes to your needs. Please feel free to contact me for any suggestion and/or further assistance regarding the technique and its implementation. ============================================================================== MA Razzaque Rupom Moderator, phpResource Group http://groups.yahoo.com/group/phpresource/ My Blog : http://www.rupom.info Emails: rupom_315@yahoo.com rupom.bd@gmail.com

  Files folder image Files  
File Role Description
Accessible without login Plain text file ReadMe.txt Doc. Documentation File
Plain text file SecurePassword.class.php Class Class File
Accessible without login Plain text file usage.php Example Usage Example

 Version Control Unique User Downloads Download Rankings  
 0%
Total:1,023
This week:0
All time:3,584
This week:153Up
 User Ratings  
 
 All time
Utility:75%StarStarStarStar
Consistency:75%StarStarStarStar
Documentation:66%StarStarStarStar
Examples:75%StarStarStarStar
Tests:-
Videos:-
Overall:59%StarStarStar
Rank:1325