Password Hashing - FMWebschool
Password Hashing - FMWebschool
Password Hashing - FMWebschool
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>Password</strong> <strong>Hashing</strong><br />
By: Alex Babkov<br />
Introduction / Disclaimer<br />
This article will take a look at the basics of password hashing, and provide an overview of what it is,<br />
how it’s used and why it’s used. This article is only designed to act as in introduction to the subject<br />
and at worst to add some security to databases that currently utilize plain text storage of critical user<br />
login details. If you are interested in fully securing your database it is recommended that you read<br />
further on the subject and look in detail at the MCrypt and MHash extensions for php.<br />
What is a hash<br />
Simply speaking, a hash [value] is a unique fixed length string, representing another variable length<br />
string, which is generated using a particular hash function (e.g. MD5, Sha1 etc). Hashes rank on a<br />
scale of hard to impossible to invert and as a result often serve as a method of 1 way encryption of<br />
data (though this is not their only use).<br />
<strong>Password</strong> Hashes<br />
When the user generates an account, a hash of their password (rather than their actual plain text<br />
password) is stored in the password field of the database record. Every time they log into the<br />
system, an identical hash is run on the password they submit prior to performing a search.<br />
For Example:<br />
1) Account Creation:<br />
<strong>Password</strong> Submitted: apple<br />
<strong>Password</strong> stored in database: d0be2dc421be4fcd0172e5afceea3970e2f3d940<br />
2) Login:<br />
<strong>Password</strong> Submitted: apple<br />
<strong>Password</strong> used in search: d0be2dc421be4fcd0172e5afceea3970e2f3d940<br />
Why hash passwords<br />
People will generally tend to re‐use passwords between websites / online services. If someone was<br />
to gain direct access to the data in your database and hashing had not been utilized in its<br />
authentication system, the thief would have immediate access to a large collection of user names<br />
and passwords that they would be able to try against a large number of online services ranging from<br />
forums to bank accounts – or alternatively just to the online service you are providing.<br />
<strong>Hashing</strong> with PHP<br />
PHP provides a number of native hashing functions. Each function has its advantages and<br />
disadvantages. Because this is just an introductory article, we’re not going to go into these<br />
advantages and drawback of the various functions available and will just rely on the fact that sha1 is<br />
a good, common hash function available with all recent php installations.
All one has to do in PHP to hash a string is to run the sha1 function on it, for example:<br />
setField(‘username’,$username);<br />
$add->setField(‘password’,$password);<br />
$add_result = $add->execute();<br />
Account Login Sample<br />
wild card characters here using regex. E.g. @ should be escaped to \@)<br />
$username = $_REQUEST[‘username’];<br />
//create the password hash.<br />
$password = sha1($_REQUEST[‘password’]);<br />
//construct a find command and submit the hashed password for storage to the<br />
accounts table<br />
$find = $fmdb->newFindCommand(‘accountsLayoutName’);<br />
$find->addFindCriterion(‘username’,$username);<br />
// Note that the sha1 hash is an alphanumeric hash meaning that all<br />
wildcards will be rendered inoperable.<br />
$find->addFindCriterion(‘password’,$password);<br />
$find_result = $add->execute();<br />
if( !FileMaker::isError($find_result) ) {<br />
//User logged in successfully, set session up and take them wherever<br />
they are meant to go<br />
} else {<br />
//Authentication failed. Display an error message to the user<br />
}
Change language