[Tutorial] Hashing passwords with MySQL
#1

Introduction
Hey guys!
If you're going to comment this tutorial as "SUX" and stuff like that, don't even bother commenting and press the 'report' button.
If you're going to read the whole tutorial, and comment "Nice!", its much appreciated!

Script
If you're using the BlueG's MySQL plugin, you don't need to use the whirlpool plugin. (I said you don't need, but go a head if you want to..)

Theres another hashing system called "sha-1".
There are various types of sha, but I'm just going to explain sha-1.

Personally, I think sha1 is very good (of what I read).
Its secure, and good.
sha-1 is not breakable.
sha1 appeared in 1995 and it stands for secure hash algorithm.
There are 4 sha's (if I'm not mistaken) sha-0, sha-1, sha-2 and sha-3.

Ok, ok enough, lets go to the scripting.
When we want to use it while calling a query in MySQL, we simply do:

sha1('textparam[]')

Quite easy right?
No need to load any extra plugins, nor loading more natives.
I'm not sure if the lenght of the hashes vary or not, but I think not.
I'm pretty sure it doesnt, from the hashes of my users...
For example, if we want to use it on our daily register/login system, it would look like something like this:

mysql_query("INSERT INTO `TABLENAME` (HASHTEST) VALUES (sha1('firecatrocks'))");

So we are INSERTING a new row in the wished TABLENAME.
We're going to affect the column called "HASHTEST" inserting the newly hashed text "firecatrocks"

It should insert something like:
Код:
4102dfc6de209ff3839b4e664b59f83dd79e878b
Why should we hash?
Well, for various reasons.
One of them is, if the database gets hacked... All of your users are secured.
Their profile passwords are secured, unless the person who hacked the database knows how to de-hash them.

Another reason is, loyalty.
If you're not hashing the passwords, users may hate you for that, because they feel like they cant trust you.
You should always hash users passwords.

I hope you liked this tutorial!
Reply
#2

This is a good tutorial, but I don't think anyone should use sha1
  1. When using sha1() in MySQL, you're dealing with plain-text passwords in the queries which is NOT good.
  2. If you've already hassled with setting up MySQL, then you might as well do whirlpool. In that case, you can avoid using plain-text passwords in queries.
  3. Have you ever heard of password salting?
Reply
#3

Quote:
Originally Posted by VincentDunn
Посмотреть сообщение
This is a good tutorial, but I don't think anyone should use sha1
  1. When using sha1() in MySQL, you're dealing with plain-text passwords in the queries which is NOT good.
  2. If you've already hassled with setting up MySQL, then you might as well do whirlpool. In that case, you can avoid using plain-text passwords in queries.
  3. Have you ever heard of password salting?
What do you mean by plain text passwords?
Reply
#4

Quote:
Originally Posted by FireCat
Посмотреть сообщение
What do you mean by plain text passwords?
A plain-text password is an unhashed password.
Reply
#5

Quote:
Originally Posted by VincentDunn
Посмотреть сообщение
A plain-text password is an unhashed password.
de-hashed*
And sha1 hashes them after the query is called.
Reply
#6

The password is still visible during that very short time interval the query is sent to the server. Yet I don't know how easy or hard it would be to intercept a query while it's being sent.
Reply
#7

Quote:
Originally Posted by Vince
Посмотреть сообщение
The password is still visible during that very short time interval the query is sent to the server. Yet I don't know how easy or hard it would be to intercept a query while it's being sent.
Of course...
But its also with EVERY hashing system.
Before you hash a password you can use printf for example..
Reply
#8

Quote:
Originally Posted by FireCat
Посмотреть сообщение
Of course...
But its also with EVERY hashing system.
Before you hash a password you can use printf for example..
But there is a difference between intercepting the query
Код:
SELECT * FROM `users` WHERE `pass` = sha1('fuckme123')
and
Код:
SELECT * FROM `users` WHERE `pass` = '0FDF715A80C43F6603E8B8EC9676A45AD18AD8773BDE840F04D65A10157547EA05A67C0BE2F5990151EE9B7D7901C1523375CEE43E51EB7A48F25C712A05240C'
Personally, I'd rather have a hacker get a hold of the second one.
Reply
#9

Quote:
Originally Posted by VincentDunn
Посмотреть сообщение
But there is a difference between intercepting the query
Код:
SELECT * FROM `users` WHERE `pass` = sha1('fuckme123')
and
Код:
SELECT * FROM `users` WHERE `pass` = '0FDF715A80C43F6603E8B8EC9676A45AD18AD8773BDE840F04D65A10157547EA05A67C0BE2F5990151EE9B7D7901C1523375CEE43E51EB7A48F25C712A05240C'
Personally, I'd rather have a hacker get a hold of the second one.
How the hell would a hacker get to see your queries?

To encrypt a password using anything, you first have to get the playn text password and then encrypt it.
With WP is:
WP_Hash(escapedPassword, sizeof(escapedPassword), plaint_text_password);

If someone gets access to your server and is able to view the queries, he will also be able to save the passwords before them being encrypted with WP.
Reply
#10

Quote:
Originally Posted by im
Посмотреть сообщение
How the hell would a hacker get to see your queries?

To encrypt a password using anything, you first have to get the playn text password and then encrypt it.
With WP is:
WP_Hash(escapedPassword, sizeof(escapedPassword), plaint_text_password);

If someone gets access to your server and is able to view the queries, he will also be able to save the passwords before them being encrypted with WP.
Well Vincent has a point because if you have mysql_debug enabled....
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)