www.webdeveloper.com
Results 1 to 4 of 4

Thread: MD5 (or SHA1) with multiple values

  1. #1
    Join Date
    Jun 2006
    Location
    Doncaster
    Posts
    78

    MD5 (or SHA1) with multiple values

    Hi just a research question: I'm converting a new user and storing the email as a MD5 in order to get them to check in.
    It occurs to me that I could use other values at the same time (so a hashed version of email, postcode and name). This would make it very much more secure

    How would I do this?

  2. #2
    Join Date
    Jul 2010
    Location
    /ramdisk/
    Posts
    865
    Quote Originally Posted by AliHurworth View Post
    Hi just a research question: I'm converting a new user and storing the email as a MD5 in order to get them to check in.
    It occurs to me that I could use other values at the same time (so a hashed version of email, postcode and name). This would make it very much more secure

    How would I do this?
    Using a MD5 hash by itself is not secure enough for short strings like emails. Especially because the username is typically 1-10bytes of ASCII (some institutions I know of require email usernames under 8characters). The domain name exists in a public list of MX records. My cheap machine can make 3million+ attempts at an MD5 hash per second, probably less because I would need to concatenate combinations of MD5(guess + "@" + domain name).

    That is why you should also include a very strong secret salt when generating a MD5 hash.

    MD5(guess + "@" + domain name + secret salt).... forget brute forcing that, time to find another way in But lets not be stupid and make a weak hash out of email.

    In general MD5 hash is already outdated; collisions have been found (a long time ago).
    JH and Skein both look like promising algorithms for the NIST SHA3 competition.
    -----

    In the meantime we'll cross our fingers and user MD5.

    Lets look at using it in a mySQL query:

    Code:
    mysql> CREATE TABLE user (
        -> user_ID int(11) PRIMARY KEY AUTO_INCREMENT,
        -> userName varchar(50),
        -> userHash  varchar(20)
        -> ) ENGINE=myISAM;
    
    mysql> ALTER TABLE user
        -> ADD UNIQUE (userName);
    
    mysql> ALTER TABLE user
        -> ADD UNIQUE (userHash);
    the hash must be unique otherwise you have a collision.

    PHP Code:
    $sqlResource 
    mysqlquery(
      
    sprintf("SELECT user.user_ID 
                FROM user 
                WHERE MD5(%s%s%s%s) = user.userHash"
    ,
                
    $userName$email$password"This is a secret salt, it should be kept private."
      
    )
    );

    if (
    mysql_num_rows($sqlResource)) {
      
    $user = new User(mysql_fetch_object($sqlResource));

    But this might not be secure depending on where your mySQL server is located. PHP also has a MD5 function, you may want to preprocess the hash before sending it to mySQL. I believe it's MD5().

    I would also suggest you use SSL to receive the credentials through $_POST.

    If a valid email is all you need for authentication then you don't really have enough credentials. Most places require an email/username and a strong password.

    Maybe wait on Criterion9 to respond hes good with these things.

    Edit: I noticed this code will also have a problem with mysql handling the hash as a string. You should preprocess it with PHP first, that way people can use special characters that would otherwise mess up the query.
    Last edited by eval(BadCode); 01-23-2011 at 02:07 AM.

  3. #3
    Join Date
    Oct 2007
    Posts
    374
    Quote Originally Posted by AliHurworth View Post
    Hi just a research question: I'm converting a new user and storing the email as a MD5 in order to get them to check in.
    It occurs to me that I could use other values at the same time (so a hashed version of email, postcode and name). This would make it very much more secure

    How would I do this?
    Assuming you've already done sanity checks on the values, I'd do this like:
    PHP Code:
    $prehash=$email.$postcode.$name;
    $hash=md5($prehash);
    // do whatever you want with the hash 
    When they come back, I'd hope you also require a password that is also stored as a salted hash. Then you compare data to the stored data
    PHP Code:
    $hash=$email.$postcode.$name;
    $stored_hash=somefunction(); //get the hash out of the database
    if ($hash==$stored_hash)
      {
        
    $password_authenticated=somepasswordfunction(); //validate the password using the correct hashes
        
    if($password_authenticated)
          {
            echo(
    'Welcome Back');}else{echo('Login attempt failed.');
          }
      } 
    Hope that helps.

  4. #4
    Join Date
    Oct 2007
    Posts
    374
    A little late, but I just realized the first line of that 2nd block of code should have been:
    PHP Code:
    $hash=md5($email.$postcode.$name); 

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
HTML5 Development Center

"

"

X vBulletin 4.2.2 Debug Information

  • Page Generation 0.15776 seconds
  • Memory Usage 2,875KB
  • Queries Executed 13 (?)
More Information
Template Usage (35):
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_global_above_footer
  • (1)ad_global_below_navbar
  • (1)ad_global_header1
  • (1)ad_global_header2
  • (1)ad_navbar_below
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (1)ad_thread_first_post_content
  • (1)ad_thread_last_post_content
  • (1)bbcode_code
  • (4)bbcode_php
  • (2)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)headinclude_bottom
  • (4)memberaction_dropdown
  • (1)navbar
  • (4)navbar_link
  • (1)navbar_moderation
  • (1)navbar_noticebit
  • (1)navbar_tabs
  • (2)option
  • (4)postbit
  • (4)postbit_onlinestatus
  • (4)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available (6):
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files (26):
  • ./showthread.php
  • ./global.php
  • ./includes/class_bootstrap.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/functions_navigation.php
  • ./includes/class_friendly_url.php
  • ./includes/class_hook.php
  • ./includes/class_bootstrap_framework.php
  • ./vb/vb.php
  • ./vb/phrase.php
  • ./includes/functions_facebook.php
  • ./includes/functions_calendar.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_notice.php
  • ./packages/vbattach/attach.php
  • ./vb/types.php
  • ./vb/cache.php
  • ./vb/cache/db.php
  • ./vb/cache/observer/db.php
  • ./vb/cache/observer.php 

Hooks Called (71):
  • init_startup
  • friendlyurl_resolve_class
  • init_startup_session_setup_start
  • database_pre_fetch_array
  • database_post_fetch_array
  • init_startup_session_setup_complete
  • global_bootstrap_init_start
  • global_bootstrap_init_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • load_show_variables
  • load_forum_show_variables
  • global_state_check
  • global_bootstrap_complete
  • global_start
  • style_fetch
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • strip_bbcode
  • friendlyurl_clean_fragment
  • friendlyurl_geturl
  • forumjump
  • cache_templates
  • cache_templates_process
  • template_register_var
  • template_render_output
  • fetch_template_start
  • fetch_template_complete
  • parse_templates
  • fetch_musername
  • notices_check_start
  • notices_noticebit
  • process_templates_complete
  • friendlyurl_redirect_canonical
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • memberaction_dropdown
  • tag_fetchbit
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • build_navigation_data
  • build_navigation_array
  • check_navigation_permission
  • process_navigation_links_start
  • process_navigation_links_complete
  • set_navigation_menu_element
  • build_navigation_menudata
  • build_navigation_listdata
  • build_navigation_list
  • set_navigation_tab_main
  • set_navigation_tab_fallback
  • navigation_tab_complete
  • fb_like_button
  • showthread_complete
  • page_templates