i want use salt , hash create security login. try follow this tutorial , write own code return false. here code:
require_once 'application/third_party/secure-login/classes/hashing.php'; require_once 'application/third_party/secure-login/classes/salt.php'; $password = hashing::create_hash('123456', salt::random(12)); $old = '$2a$10$zuzycdw3ack2ccol3ds1sudj2wioz87.75erlzvczyh4d1hs2rhfu'; if (hashing::validate($password, $old, salt::random(12))) { echo true; } else { echo false; } and 2 classes included:
<?php class hashing { function __construct() {} /** * @param string $pass user submitted password * @param string $hashed_pass hashed password pulled database * @param string $salt salt pulled database * @param string $hash_method hashing method used generate hashed password */ static function validate($pass, $hashed_pass, $salt, $hash_method = 'sha1') { if (function_exists('hash') && in_array($hash_method, hash_algos())) { return ($hashed_pass === hash($hash_method, $salt . $pass)); } return ($hashed_pass === sha1($salt . $pass)); } /** * generates secure, pseudo-random password safe fallback. */ static function pseudo_rand($length) { if (function_exists('openssl_random_pseudo_bytes')) { $is_strong = false; $rand = openssl_random_pseudo_bytes($length, $is_strong); if ($is_strong === true) { return $rand; } } $rand = ''; $sha = ''; ($i = 0; $i < $length; $i++) { $sha = hash('sha256', $sha . mt_rand()); $chr = mt_rand(0, 62); $rand .= chr(hexdec($sha[$chr] . $sha[$chr + 1])); } return $rand; } /** * creates secure hash. uses blowfish default fallback on sha512. */ static function create_hash($string, $salt = '', $hash_method = 'sha1', $stretch_cost = 10) { $salt = hashing::pseudo_rand(128); $salt = substr(str_replace('+', '.', base64_encode($salt)), 0, 22); if (function_exists('hash') && in_array($hash_method, hash_algos())) { return crypt($string, '$2a$' . $stretch_cost . '$' . $salt); } return hashing::_create_hash($string, $salt); } /** * fall-back sha512 hashing algorithm stretching. */ static function _create_hash($password, $salt) { $hash = ''; ($i = 0; $i < 20000; $i++) { $hash = hash('sha512', $hash . $salt . $password); } return $hash; } } <?php class salt { public static function random($len = 8) { $chars = 'abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyz0123456789`~!@#$%^&*()-=_+'; $l = strlen($chars) - 1; $str = ''; ($i = 0; $i < $len; ++$i) { $str .= $chars[rand(0, $l)]; } return $str; } } please check me! don't know wrong , how works. thank much!
there many problems code, strongly suggest use functions password_hash() , password_verify() hashing.
because said want understand how works, here tips:
static function create_hash($string, $salt = '', $hash_method = 'sha1', $stretch_cost = 10) { $salt = hashing::pseudo_rand(128); $salt = substr(str_replace('+', '.', base64_encode($salt)), 0, 22); if (function_exists('hash') && in_array($hash_method, hash_algos())) { return crypt($string, '$2a$' . $stretch_cost . '$' . $salt); } return hashing::_create_hash($string, $salt); } this method first tries use crypt() good, because generates bcrypt hash. cost parameter fail if smaller 10, , salt can generated unsafe, , uses ways entropy pool. checks whether hash() functions exists function not @ made hash passwords , has nothing crypt().
later verification not use crypt(), instead check hash() function, different algorithm before. salt cannot choosen freely verify password, instead need same salt used generate hash, crypt() function did include salt in hash-value.
static function validate($pass, $hashed_pass, $salt, $hash_method = 'sha1') { if (function_exists('hash') && in_array($hash_method, hash_algos())) { return ($hashed_pass === hash($hash_method, $salt . $pass)); } return ($hashed_pass === sha1($salt . $pass)); } if want learn bit more password hashing, invite read tutorial secure password storing.
Comments
Post a Comment