What Is Hashing? Hashing

[abyx 0]

I just wanted to share something I recently started utilizing in my scripts.

I never really understood the point of hashing until I started to read some stories about some experiences where hashing prevented their user's password database from being read.

 

So, first I should sort of explain what hashing is.

Hashing, is a one way algorithm that creates a unique string of text. A common mistake is users referring to hashing as an encryption method. The word encryption implies that there is a method of decryption as well. This is not the case with hashing. Hashing is meant to go one way, and one way only.

Why is this good? A hashed string is unique for each phrase entered, and is constant as long as the exact same text is entered. This is great for passwords because, well, passwords never change! Well, unless, of course, a user changes it, but that's besides the point. So, if my password was "puppydog", then it would appear as dbfff42a90727d02153511a33480572b (using md5). As long as "puppydog" is entered exactly the same, it would always result in dbfff42a90727d02153511a33480572b.

 

How does one start hashing? Simple.

Let's say you want to take the users entered password (from a previous form), hash it using md5, then store it in a database.

 

First, you would use an opening php tag.

<?php

Then you would create a variable based on the sent password.

$password = $_POST['password'];

Now, the good part, you would create a variable that uses md5 algorithm on the password variable.

$hash = md5($password);

See? Extremely simple. Now, of course, you would store the new hashed password into a database, then close the php tag.

mysql_connect("localhost", "admin", "blahblah") or die(mysql_error());mysql_select_db("users") or die(mysql_error());mysql_query("INSERT INTO users (username, password) VALUES('$_POST['username']', '$hash' ) ") or die(mysql_error());?>

See? Extremely simple. When a user logs in, all you have to do is compare users, then use the same method of hashing on the password entered at the login form.

 

Now, uncovering a hashed string isn't impossible. There are two major ways of revealing a hashed string. Brute-Forcing and Rainbow Tables.

 

Brute-Forcing is trying every combination of characters to find a conflict in a hashed string. Though, even with a basic password, this can take extremely long, but, the outcome is usually correct.

 

Rainbow Tables are dictionaries of hashed strings. They include the phrase and it's hashed outcome. The user would enter the hashed string into a search form, and submit it. The search then shows the results. Surprisingly, rainbow tables are pretty effective, considering most users passwords are usually pretty basic words.

 

The easiest way to avoid these is salt. No, pouring table salt on a rainbow table won't make it shrivel up and die. I'm talking about a short, random string that is added to the password before it is hashed. This will effectively avoid the use of Rainbow Tables.

 

To use a salt, just define it in a variable, and put it in with the $password in the md5() function, as such:

<?php$password = $_POST['password'];$salt = "AKfsa*@";$hash = md5($password . $salt);?>

The salt in the above code is "AKfsa*@". This was completely random. They don't need to be random at all, either. Just make up your own string. I usually copy a 5 or 7 character combination from a different hash.

It's important you use the same salt upon login. It's basically part of the password.

 

What about Brute-Forcing? Well, brute-forcing can still work around salts. It will just take longer.

 

I believe the best way to stop brute-forcing, is by hashing a string multiple times. Sort of like, hashing a hash. Like so:

<?php$password = $_POST['password'];$hash1 = md5($password);$hash2 = md5($hash1);?>

This way, the brute-forcer would have to uncover the first hash, which just reveals another hash, then they would have to reveal this new hash. This extremely lengthens the brute force. A string can be hashed many times, and you can throw a salt in there too. It could take years (literally) for one a brute-force to completely reveal a single password.

 

That's why I love hashing.

 

I hope you learned something!

[Saint_Michael 3]

Actually yes I did . so thats what the little processes is, because I am a poll script thats an admin page and stupid me always forgot it, so I went to myphpadmin page to look it up there and all I got was that text string. Interestingly enough routers use the same kind of script if you call it that with keys to help improve on the router security.If I remember correctly brute forcing is seldom used anymore, because people wised up about computer hacking and junk, nonetheless though people still use simple passwords and junk and thus make it easy.

[FLaKes 0]

I did also, this was a great tutorial!! Congrats!! It was very well explained, I had read a tutorial about this and I didnt really understand it, it was very direct and simple. Thats were your tutorial beats the other one I once read, you explained everything, and why you would use the hash, and you gave some extra tips at the end with securing the hash, which was great! Thanks!

[abyx 0]

I did also, this was a great tutorial!! Congrats!! It was very well explained, I had read a tutorial about this and I didnt really understand it, it was very direct and simple. Thats were your tutorial beats the other one I once read, you explained everything, and why you would use the hash, and you gave some extra tips at the end with securing the hash, which was great! Thanks!

Your welcome!
I was in the same exact scenario before I learned what hashing was. Then I kind of just experimented with it and finally understood it. A bit of experimentation goes a long way. I'm going to hopefully write a user authentication tutorial (using a script I whipped up with some help with good ol' hashing) and it will utilize hashing completely. It will hopefully include a image verification, administration, and a user control panel.
Thank you for reading my (sort of) tutorial.
I'm very glad you learned from it.

[nol 0]

Great tutorial, actually I think that hashing should be made so you must have it on majoy corp sites, and business, just to make things easier, and less hackable. Its really a great improvement on what our internet society has come to. This tutorial is great,expecially because it in-depth shows us the steps. Great job, and hope you make mroe just like this

[Atthack 0]

Thanks a lot for the tutorial / information!I'm really into learning PHP coding and such these days so it will definately expand my knowledge.