PHP is a server-side scripting language which implies that PHP is responsible for all the back-end functionalities required by the website. The authentication system is one of the most important parts of a website and it is one of the most commonplace where developers commit mistakes leaving out vulnerabilities for others to exploit. One example could be storing and using user passwords in its true form, which may lead to a situation where an unauthorized person gets the access to the database and the whole system is compromised.
This situation can be easily prevented using password hashing. Password Hashing is a method which takes the user password( a variable-length sequence of characters) and encrypts it to a fixed-length password containing random characters from a larger set. PHP has a few functions that can be used to achieve the same.
md5() Function
Syntax:
string md5 ($string, $getRawOutput)
Parameters: The function an take up to a maximum of two parameters as follows:
- $string: This parameter expects the string to be hashed.
- $getRawOutput: This optional parameter expects a boolean value, on TRUE the function returns the hash in a raw binary format of length 16.
Return Type: This function returns the hashed string (either in lowercase hex character sequence of length 32 or raw binary form of length 16).
sha1() Function
Syntax:
string sha1($string, $getRawOutput)
Parameters: The function an take up to a maximum of two parameters as follows:
- $string: This parameter expects the string to be hashed.
- $getRawOutput: This optional parameter expects a boolean value, on TRUE the function returns the hash in a raw binary format of length 20.
Return Type: This function returns the hashed string (either in lowercase hex character sequence of length 40 or raw binary form of length 20).
hash() Function
Syntax:
string hash($algo, $string, $getRawOutput)
Parameters: The function an take up to a maximum of three parameters as follows:
- $algo: This parameter expects a string defining the hashing algorithm to be used. PHP has a total of 46 registered hashing algorithms among which “sha1”, “sha256”, “md5”, “haval160, 4” are the most popular ones.
- $string: This parameter expects the string to be hashed.
- $getRawOutput: This optional parameter expects a boolean value, on TRUE the function returns the hash in a raw binary format.
Return Type: This function returns the hashed string (either in lowercase hex character sequence or raw binary form).
Below program illustrates the working of md5(), sha1() and hash() in PHP:
<?php // PHP code to illustrate the working // of md5(), sha1() and hash() $str = 'Password' ; $salt = 'Username20Jun96' ; echo sprintf( "The md5 hashed password of %s is: %s\n" , $str , md5( $str . $salt )); echo sprintf( "The sha1 hashed password of %s is: %s\n" , $str , sha1( $str . $salt )); echo sprintf( "The gost hashed password of %s is: %s\n" , $str , hash( 'gost' , $str . $salt )); ?> |
Output:
The md5 hashed password of Password is: a59a0e0fcfab450008571e94a5549225 The sha1 hashed password of Password is: a69652ddbc8401ae93b5d2f0390d98abd94fc2f4 The gost hashed password of Password is: 5376160a0d848c327949364b96fb9fd6e13a9b20c58fbab50f418ea9eea3b67f
Important points to note:
- The complexity of a hashing algorithm defines how good the hashing is itself. Both sha1 and md5 are not very complex thus experts suggest we should use the following algorithms only if the risk factor is not condemnable.
- Using only the Password as input string gives a mediocre result, but using salt we can enhance the result. Salt in hashing is a term that refers to a random string that is used explicitly with the password. Many developers prefer to use the username and some other field (such as Date of birth in the example) as the salt which increases the randomness.
- A hashing algorithm should preferably be a one-way route i.e. there should not exist a decrypt method, but all these known algorithms can be guessed with a proper implementation of Brute Force and Dictionary attack.
Reference: