Skip to main content

Timeline for PHP - How safe/strong is this hashing?

Current License: CC BY-SA 3.0

21 events
when toggle format what by license comment
Jul 1, 2016 at 18:01 vote accept wtm
May 30, 2016 at 15:11 review Close votes
Jun 3, 2016 at 0:00
May 30, 2016 at 14:59 answer added Mm-Art-In timeline score: 4
May 30, 2016 at 14:53 comment added JimL @Matthew I suggest you read these two blog posts from the author of the password compatibility layer. Seven Ways To Screw Up BCrypt and Security Issue: Combining Bcrypt With Other Hash Functions. They may give valuable insight into how easy it is to mess up even an audited/approved hash algo.
May 30, 2016 at 14:49 comment added Funk Forty Niner @Martin If it is, then it's purely academic. What they don't teach in schools is what's happening out in the "real world" and during "this century".
May 30, 2016 at 14:49 comment added Peter "How strong is this hash?" - Compared to what? Compared to not hashing it is very strong :)
May 30, 2016 at 14:48 comment added Mm-Art-In @Fred-ii- it seems to be an educational assignment, and we know that educational establishments are the last places to keep themselves up to date with IT best practises :-/
May 30, 2016 at 14:45 comment added Funk Forty Niner Why go through all that trouble when there is password_hash() or the compatibility pack to work with. Plus, why mess around with salts?
May 30, 2016 at 14:43 comment added zaph Consider that the currently accepted methods have been seriously peer reviewed. A do-it-yourself solution just can't meet that level of security. Consider "Schneier's Law": "Anyone, from the most clueless amateur to the best cryptographer, can create an algorithm that he himself can't break."
May 30, 2016 at 14:43 comment added Devon Bessemer I suspect a few issues. One, does every system produce the same number and order of hash_algos? If not, this could be a disaster when trying to validate hashes from another system. Secondly, I expect this to be slower and less secure as you're running through several weak hashing algorithms vs one that is known to be strong.
May 30, 2016 at 14:41 comment added Mm-Art-In Matthew, you would probably do well to read this entire post from Security StackExchange
May 30, 2016 at 14:40 comment added wtm @JimL Yes, it is just for educational reasons
May 30, 2016 at 14:39 comment added wtm @aleksv When for example logging in I can check the hash, grab the salt out of it and check it
May 30, 2016 at 14:39 comment added JimL @Matthew this is purely for educational reasons, right? Asking because somone might go out of their way to just talk you out of doing this - but may spend more time actually answering if they know you just want to learn.
May 30, 2016 at 14:38 comment added ave4496 If you compare the hash and the hashed password then, how do you know which salt to use?
May 30, 2016 at 14:38 comment added wtm @Clint why is it not safe?
May 30, 2016 at 14:37 comment added Clint @Matthew Not very safe. There are people who know a lot more about cryptography than you. It's better to just use what they have given us. Unless you're studying cryptography I wouldn't bother with this exercise.
May 30, 2016 at 14:36 comment added Andrei This is actually a very complex question which I doubt a lot of people can answer thoroughly or right, for that matter. If you're doing this for the hell of it, then good for you, if you're planning on using this in production then don't. But, if you're curios as to WHY you shouldn't write your own, have a look here.
May 30, 2016 at 14:34 comment added wtm @Naruto I am just wondering how safe can I make password storing, without the use of already strong things like bCrypt
May 30, 2016 at 14:33 comment added Naruto Just 1 question: why are you doing this?
May 30, 2016 at 14:32 history asked wtm CC BY-SA 3.0
toggle format