2

So I am trying to "create" a strong hashing algoritme, and now I am wondering, how strong is it?

This is what I have came up with:

function bHash($text, $salt) { foreach (array_reverse(hash_algos()) as $hash) { $hash .= hash($hash, $text . $hash . $salt); } return "_bH/" . $salt . "/" . str_replace("/", "+", crypt($hash, $salt)); } echo bHash($password, "KB8NtFIN"); // I am using a different salt for each password!

So I am taking each hashing in the hash() function, and I hash it over and over again with salt (8 random string+hashname)

Which results in, for example "hello" is: _bH/KB8NtFIN/KBumi3+cVUUtU

So, how safe/strong is this?

Improve this question
17
  • 5
    Just 1 question: why are you doing this? Commented May 30, 2016 at 14:33
  • 8
    This is actually a very complex question which I doubt a lot of people can answer thoroughly or right, for that matter. If you're doing this for the hell of it, then good for you, if you're planning on using this in production then don't. But, if you're curios as to WHY you shouldn't write your own, have a look here. Commented May 30, 2016 at 14:36
  • 2
    @Matthew Not very safe. There are people who know a lot more about cryptography than you. It's better to just use what they have given us. Unless you're studying cryptography I wouldn't bother with this exercise. Commented May 30, 2016 at 14:37
  • 2
    Matthew, you would probably do well to read this entire post from Security StackExchange Commented May 30, 2016 at 14:41
  • 2
    @Matthew I suggest you read these two blog posts from the author of the password compatibility layer. Seven Ways To Screw Up BCrypt and Security Issue: Combining Bcrypt With Other Hash Functions. They may give valuable insight into how easy it is to mess up even an audited/approved hash algo. Commented May 30, 2016 at 14:53

1 Answer 1

Reset to default
4

PHP - How safe/strong is this hashing?

Short Answer: not very.

Longer short answer: It isn't very strong compared to industry standards such as PGP or varios bCrypt implementations.

Longer answer: I don't want to rip off the answers provided in this Security StackExchange Post but please, read that link, read these very long and very detailed answers as to the numerous and various pitfalls of your own hashing algorithm.

  • Obfuscation is not hashing, just because you can't read it doesn't mean no one else can.

  • As Zaph mentioned, Schneiers Law is a relevant issue here.

  • If you change the salt every time, what is the point of having the salt at all? The salt needs to be recognisable by the algorithm, take a very simple example: You have algebra which states a = b + c . The minimum number of equations you can use to find value of a is the number of unknown variables. So in this case 2 (one for b and one for c), so if you have hash = salt + password if you only then have one equation (the hash) you can't find both the salt and the password values from within the hash...

  • what if your salt contains the / character? What if your password contains the / character?

P.s> Also the links to IRCMaxwells stuff posted by JimL are well worth reading too.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.