[RELEASE] PHPPasswordEncryption V1.6 - Little script!

[Liam]

Hello there guys and girls, today I'm releasing my small, not huge, PHPPasswordEncryption script. What it does, is simply encrypts input with a custom salt, MD5(SHA1()). As being said, it is nothing big at all, as I'm only doing this to help me with my PHP skills. This teaches me how to operate with functions and basic OOP. It also teaches me how to encrypt passwords, with salt, and make it available to a much more wider sources, by only having to include the script page

And without futher to do, I introduce to you my small and portable PHPPasswordEncryption script

Code:

http://www.mediafire.com/?j5p1d0bv2ebu75s

By making this, I've learnt some basic skills. This is only version 1, of possible 2. I am looking to expand the security of the script, but at the moment, it seems very secure. As being said, it's easy to setup! Please read the index that has came with this script.

Please leave feedback below, and inform me on what could be changed for the future to ensure better encryption of passwords, if any. Thanks a lot, and I hope to learn further more PHP, OOP.

[MentaL]

[Jash]

I'll be writing in response to the security part.

You used double hashing which is stronger than single hashing. However, iterating a hash twice is not secured enough.
Look at this thread : stackoverflow.com/questions/348109/is-double-hashing-a-password-less-secure-than-just-hashing-it-once
To sum up the content in the thread, you should be iterating a hash more than twice, a lot more than twice. iPhone uses 10,000 iterations to secure its data for example. Take a look at PBKDF2 for multiple and secured hashing.

Sent from my LG-P500 using Tapatalk 2

[Liam]

Hello Jash, thanks for your reply! First of all, this is version one, and I will be sure to maximize the security by heaps. I will make a new index page, where it will allow the installer to choose new security and it will be secured multiple times. In the next version, it will be the second last version, or possibly the last version I make, but it will be maximized to the highest extent of security. And the portability of it is already amazing. Tomorrow in the afternoon, I will complete the V2 and release it on this thread. From then I hope to see improvements in security. This is basically the base for V2, as I released this version to see thoughts of it.

[Jash]

I see, well all the best then! Im sure V2 will be a lot better :)

Sent from my LG-P500 using Tapatalk 2

[Liam]

I see, well all the best then! Im sure V2 will be a lot better :)

Sent from my LG-P500 using Tapatalk 2

I'm currently working on V1.6, a version for where I can develop from tomorrow night. But, I can't be bothered Googling anything at the moment, and I want to know if MD5(MD5(SHA1(SHA1 would be any good? Along with multiple salts in the password?

[Jash]

I'm currently working on V1.6, a version for where I can develop from tomorrow night. But, I can't be bothered Googling anything at the moment, and I want to know if MD5(MD5(SHA1(SHA1 would be any good? Along with multiple salts in the password?

I think 4 times is a sufficient enough, but it can be made more secured.
Because generating a hash based on an input is linear to the number of hash iterations used, you should aim for at least 1,000 iterations to make brute forcing practically impossible, as a higher number of iterations would mean a longer computation time per input.

As for the salt, how are you planning to generate the multiple salts?

Sent from my LG-P500 using Tapatalk 2

[Dave]

You should use something else to generate a salt.
By looking at the script, we know that the salt is between 100000 and 1000000 (and then MD5'ed).
php - How to generate a random, long salt for use in hashing? - Stack Overflow

About password hashing, people (and I) suggest bCrypt.
Best PHP encryption method for storing user passwords in a MySQL table? - Stack Overflow
How do you use bcrypt for hashing passwords in PHP? - Stack Overflow

[Liam]

The salt methods will be like so:

PHP Code:

/* SALTING - This will further secure the passwords */            $salty[1] = md5("s1");            $salty[2] = sha1("s2");            $salty[3] = md5("s3");            $salty[4] = sha1("s4"); 


Where it has s1, s2, s3, s4, the user of this script will be able to change the salts using a randomly generated, MD5 encrypted, salt. Like so:

PHP Code:

Replace <b><u>s1</u></b> with: <b><?php echo(sha1(rand(123456, 654321)));?><br /></b>    Replace <b><u>s2</u></b> with: <b><?php echo(md5(rand(54321, 987654321)));?></b><br />    Replace <b><u>s3</u></b> with: <b><?php echo(sha1(rand(1234567, 7654321)));?><br /></b>    Replace <b><u>s4</u></b> with: <b><?php echo(md5(rand(54321, 987654321)));?></b><br /><br /><br />

The little script above, was taken from the install.php file, where the installer can manually generate salts to be placed into the encrypt.php file. In a later version, there will be a automatic install script, where it will insert custom SALT's and RANDOM encryption/hash methods. By doing so will make the script much more secure, because everyone won't know the exact method used without looking at the source. What I mean by this is that it will be more secure, that is basically it! In the near future, I will have a fully working lockdown script, hopefully I go through with this. What it will do is allow the installer to locate where the passwords are installed along with more information, for example ID, and it will allow the site owner to do an emergency lock-down witch will save the ID and Password hashes into our secured databases and it will then delete the passwords from the database. This is good for website owners who need a quick and efficient backup of passwords without hackers gaining access to them! This is only a idea, and may not be done, but I will have an attempt at it some other time. For now, I have been cleaning the code, a little bit, explaining what things do using /* */ & <!-- --> - I will edit the thread soon, and release V1.6.

Version 1.6 download: PHPPasswordEncryptionv1.6.rar

[Jash]

it seems fine.
As long as the salts arent mutually related (E.G second salt = some function of first salt), then it should be secured enough.

Sent from my LG-P500 using Tapatalk 2

[Liam]

This project will be continued on: 23rd / 11 / 2012 - The development of this script has been delayed until the date as mentioned earlier this is when I get my laptop, and when I will be releasing more work on PHP. Thanks guys, and I will have these updates applied:
- Auto Installer (generates a random SALT automatically for you!)
- Stronger encryption
- Stating on some new features witch will be released on V2.4
- Clean code if needed
- Keep the coding nice, simple, and short

[TimeBomb]

If you're doing anything related to password security, please read this article, or at least the first chunk that talks about password security: How to manage a PHP application's users and passwords

Password hashing is 1/3 of it. Salting correctly is the second step. And stretching the password is the step most people leave out.

I have quite a bit of respect for OpenWall. The writer of this article may seem a bit old-fashioned and opinionated at times, but he and the rest of OpenWall really, really know they're stuff when it comes to, amongst other things, password security.

[Liam]

If you're doing anything related to password security, please read this article, or at least the first chunk that talks about password security: How to manage a PHP application's users and passwords

Password hashing is 1/3 of it. Salting correctly is the second step. And stretching the password is the step most people leave out.

I have quite a bit of respect for OpenWall. The writer of this article may seem a bit old-fashioned and opinionated at times, but he and the rest of OpenWall really, really know they're stuff when it comes to, amongst other things, password security.

Thanks for the reply mate, I will read over the web-page and I will take notes from it. I thank all for the replies and suggestions made to my script. I will be sure to fix it up and make the best from it! I am currently reading it over now, and I will take notes. Thanks a lot, and I will be sure to add aditional security to the script. I also have a neat little script coming up, so keep your eyes out :)

[Liam]

Got my laptop today, running like a charm! Will be doing some little updates to the script later tonight or tomorrow!

[Liam]

I've done some updating, I've been testing around with some new features that will not be released yet, but I will be playing around with some add-ons for this script, for now, I've done some small updates to the encrypt.php file;

<!-- PHPPasswordEncryption v2 (PPE Coded by Liam McGrath) -->

<?php
class encrypt
{
function password($input = '')
{
/* SALT - This will further secure the passwords */
$salty[1] = md5("xxx");
$salty[2] = sha1("xxx");
$salty[3] = md5("xxx");
$salty[4] = sha1("xxx");

/* Securing the passwords here */
$layer_1 = md5(md5(sha1(sha1($salty[1] . $salty[2] . $input . $salty[3] . $salty[4])))); // Gathering the salt with the password
$layer_2 = sha1($salty[4] . $layer_1 . $salty[1]); // Securing level 2 in SHA-1
return md5($salty[2] . $layer_2 . $salty[3]); // Finalized password - Will return the password secured
}

function test()
{
echo("testing");
}
}


$encrypted = new encrypt();
$encrypted->password();
?>

This is v1.8, but the thread won't be updated until v2.0, this is where it'll have some new features and new installer! Slowly rolling out things as time goes by, and learning new things! And I will surely be using this for any future websites or releases I make, as I do find this simple to use. Enjoy, and leave comments below. Suggestions will be great, and I also would like to ask how does password stretching work? I'm confused!

[Makarov]

If $input = ''; Then $input should be a random_string;

Also to make it super secure, randomize the order of the salts and input every time password is called.