Jump to content
xisto Community

abyx

Members
  • Content Count

    7
  • Joined

  • Last visited

Everything posted by abyx

  1. Your welcome! I was in the same exact scenario before I learned what hashing was. Then I kind of just experimented with it and finally understood it. A bit of experimentation goes a long way. I'm going to hopefully write a user authentication tutorial (using a script I whipped up with some help with good ol' hashing) and it will utilize hashing completely. It will hopefully include a image verification, administration, and a user control panel. Thank you for reading my (sort of) tutorial. I'm very glad you learned from it.
  2. abyx

    Hello

    It's always great to learn a new coding language. PHP is no exception. There's an endless amount of fun to be had. Right now I'm having a blast writing a login script. It's so fun. For some reason I get the biggest kick out of it. I have yet to find out why... Maybe I should write a PHP script that can tell me why I love PHP so much.
  3. Ah, I miss when GMail accounts were rare. Invites were scarce. Other email providers were crap. Et cetera.I was extremely happy where I received my invite. Though, I used a website that generated invitation codes. I doubt that's illegal, because this is a free provider were talking about here. It's not illegal...right?
  4. abyx

    Hello

    Thank you very much for your kind welcoming.I'll try my best to become an active member.My site is hopefully going to be a collection of PHP scripts I write. Webdesign is basically my biggest hobby. I literally code in my dreams. When I wake up I jump on the computer and write up what I saw in my dream as soon as possible before I forget it. I think a huge aspiration for me would be pursuing a career in webdesign.Every day I discover a new php function and a new world is opened. As soon as I learn and get something, I start to utilize it any chance I get. I love the rush of finally finishing the frustrating and complicated script you've been working on for so long. It's so great to me.You may have figured out by now that I am hoping to get Xisto hosting.
  5. I just wanted to share something I recently started utilizing in my scripts. I never really understood the point of hashing until I started to read some stories about some experiences where hashing prevented their user's password database from being read. So, first I should sort of explain what hashing is. Hashing, is a one way algorithm that creates a unique string of text. A common mistake is users referring to hashing as an encryption method. The word encryption implies that there is a method of decryption as well. This is not the case with hashing. Hashing is meant to go one way, and one way only. Why is this good? A hashed string is unique for each phrase entered, and is constant as long as the exact same text is entered. This is great for passwords because, well, passwords never change! Well, unless, of course, a user changes it, but that's besides the point. So, if my password was "puppydog", then it would appear as dbfff42a90727d02153511a33480572b (using md5). As long as "puppydog" is entered exactly the same, it would always result in dbfff42a90727d02153511a33480572b. How does one start hashing? Simple. Let's say you want to take the users entered password (from a previous form), hash it using md5, then store it in a database. First, you would use an opening php tag. <?phpThen you would create a variable based on the sent password. $password = $_POST['password'];Now, the good part, you would create a variable that uses md5 algorithm on the password variable. $hash = md5($password);See? Extremely simple. Now, of course, you would store the new hashed password into a database, then close the php tag. mysql_connect("localhost", "admin", "blahblah") or die(mysql_error());mysql_select_db("users") or die(mysql_error());mysql_query("INSERT INTO users (username, password) VALUES('$_POST['username']', '$hash' ) ") or die(mysql_error());?> See? Extremely simple. When a user logs in, all you have to do is compare users, then use the same method of hashing on the password entered at the login form. Now, uncovering a hashed string isn't impossible. There are two major ways of revealing a hashed string. Brute-Forcing and Rainbow Tables. Brute-Forcing is trying every combination of characters to find a conflict in a hashed string. Though, even with a basic password, this can take extremely long, but, the outcome is usually correct. Rainbow Tables are dictionaries of hashed strings. They include the phrase and it's hashed outcome. The user would enter the hashed string into a search form, and submit it. The search then shows the results. Surprisingly, rainbow tables are pretty effective, considering most users passwords are usually pretty basic words. The easiest way to avoid these is salt. No, pouring table salt on a rainbow table won't make it shrivel up and die. I'm talking about a short, random string that is added to the password before it is hashed. This will effectively avoid the use of Rainbow Tables. To use a salt, just define it in a variable, and put it in with the $password in the md5() function, as such: <?php$password = $_POST['password'];$salt = "AKfsa*@";$hash = md5($password . $salt);?>The salt in the above code is "AKfsa*@". This was completely random. They don't need to be random at all, either. Just make up your own string. I usually copy a 5 or 7 character combination from a different hash.It's important you use the same salt upon login. It's basically part of the password. What about Brute-Forcing? Well, brute-forcing can still work around salts. It will just take longer. I believe the best way to stop brute-forcing, is by hashing a string multiple times. Sort of like, hashing a hash. Like so: <?php$password = $_POST['password'];$hash1 = md5($password);$hash2 = md5($hash1);?>This way, the brute-forcer would have to uncover the first hash, which just reveals another hash, then they would have to reveal this new hash. This extremely lengthens the brute force. A string can be hashed many times, and you can throw a salt in there too. It could take years (literally) for one a brute-force to completely reveal a single password. That's why I love hashing. I hope you learned something!
  6. abyx

    Hello

    Hello Xisto, I'm abyx, and I hope to become an active member of this great community. I looked around and the forums and I have got to say, it looks like an awesome community.See you all around!
×
×
  • Create New...

Important Information

Terms of Use | Privacy Policy | Guidelines | We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.