Can I use a combination of different algorithms to generate a password hash?

Asked

Viewed 166 times

1

I’m having a question here, I ran some tests on the local server, and I was wondering if anyone has done anything like this, and if the database supports that many characters.

The idea of merging various types of encryption, is to increase the security level of the site, if it is possible to use in this way.

<!DOCTYPE html>
<html lang="pt-br">
  <head>
    <meta charset="utf-8">
    <title>Gerador de senhas</title>
  </head>
  <body>
    <!-- o objetivo desse estudo é fazer um script de senhas criptografadas com autenticação-->
      <?php
        $a = 'umasenhaBemforteparaserqueBrada135';//senha do usuario

        //esse foi outro teste, só que deixa com muitos caracteres ->$cripto = md5($string).sha1($string).md5($string).base64_encode($string).sha1($string).base64_encode($string);
        $senhacodificada = sha1(md5($a).sha1(md5($a)).md5(sha1($a).base64_encode($a)).base64_encode($a)).md5(base64_encode($a).sha1(md5($a).base64_encode(sha1($a)))).base64_encode(sha1(md5($a)));
        //echo $senhacodificada;


        if(isset($_POST['acao'])){
          if($_POST['senha'] !='' ){
            $c = $_POST['senha'];
              $compara =   sha1(md5($c).sha1(md5($c)).md5(sha1($c).base64_encode($c)).base64_encode($c)).md5(base64_encode($c).sha1(md5($c).base64_encode(sha1($c)))).base64_encode(sha1(md5($c)));
              if($compara == $senhacodificada){
              echo '<br>';
              echo 'senha igual';
              echo '<hr>';
              echo $compara;
            }else{
              echo '<hr>';
              echo 'a senha é diferente';
            }
          }else{
            echo 'campos vazios nao sao permitidos';
          }
        }
       ?>

       <form method="post">
         <input type="text" name="senha">
         <input type="submit" name="acao" value="logar">    
       </form>
  </body>
</html>
  • Leandro no one takes downvote, because of duplicate signage.

  • I recommend counting the characters and confirm that the amount is within the limits of VARCHAR, TEXT or SMALLTEXT fields in sql. Remember that password size does not guarantee security since your code may be flawed and allow INJECTIONS. Anyway, this is up to you already! good luck!

  • Oops, blah, I’ll count the characters and check the boundaries. Sql to with script protected and with checks on all site url, the question was even whether this encryption method is used. Thank you

1 answer

3

To $senhacodificada that you generated will always have 128 characters, which is a size that any modern database will support smoothly. In fact the limit of the main databases is much higher than this, and the only problem will be if the field is set to a smaller size (for example, the column was created as VARCHAR(100), there will not fit 128 characters even). But the main problem here is another...


Don’t invent your own encryption

Making a crazy combination of hashes, although it sounds like a good idea, isn’t, and it doesn’t make the slightest difference (read more about it here, here, here and here).

In addition, it is worth remembering that SHA1 and MD5 have been obsolete for some time (see more about this here, here and here). I suggest using more modern algorithms, like the ones in the family SHA-2, just using the function hash and passing the algorithm as parameter. Examples (using SHA-256 and SHA-512):

$hash_com_sha256 = hash('sha256', $senha);
$hash_com_sha512 = hash('sha512', $senha);

Something else: Base64 nay is cryptography, is just one data coding algorithm, and does not change at all the security (it does not make your algorithm more or less secure). The only thing it does is increase the original size of the data (in a fixed proportion), but as it is an easily reversible algorithm, it makes no difference in terms of security.


Finally, I strongly recommend that you read "How to hash passwords securely?". And stop trying to reinvent the wheel.

Browser other questions tagged

You are not signed in. Login or sign up in order to post.