Skip to content

Instantly share code, notes, and snippets.

@paragonie-scott

paragonie-scott/a.md Secret

Last active August 30, 2015 08:20
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save paragonie-scott/a6e0d9b9929cb0a2c3db to your computer and use it in GitHub Desktop.
Save paragonie-scott/a6e0d9b9929cb0a2c3db to your computer and use it in GitHub Desktop.
Download ZIP
For a LinkedIn Discussion
Raw
blah.md

Use that code and use any hash you wish too use,, Even using using md5 and this double salt it cannot be hacked.

"It cannot be hacked." Really? Are you willing to bet the farm on this? What happens if someone obtains the source code?

https://en.wikipedia.org/wiki/Kerckhoffs's_principle

I do not know who you are Scott but you really go by the book with no idea about how algorithm type matches work do you?

https://www.google.com/search?q=%22algorithm+type+matches%22&ie=utf-8&oe=utf-8

I'm convinced that this is a wholly made-up term.

I'm not here to offend anyone but when you use any hash even the newest ones they can be type matched.

What do you mean by type matched?

This is why us real developers who never get hacked use Salts.

Er, "real developers"? As opposed to a fake developer?

Also, you totally misunderstand the purpose of a salt. A salt is meant to make sure that two different users with the same password will result in a different hash, deterministically. Using a constant string for a "salt" is a bad idea.

Bcrypt (password_hash() and password_verify()) uses a 128-bit random string as the salt, per user. Your algorithm uses two constant strings.

And Password Lock will not work for a member of a website who is a "hacker" in secret as a member.

Uh, no shit. If someone has persistent root access on your server, there's very little you can to do stop them from discretely logging passwords in plaintext.

Then he gets your hashed data then type matches all of it to known algorithm matches to already defined hash encrypted data.

All of this sounds like you're arguing for security through obscurity.

http://security.stackexchange.com/a/24455/43688

Raw
insecure_code.php
class security
{
private function addSalt($pass)
{
$salt1='abcdefghijkl'; //OUR FIRST 12 CHAR SALT
$salt2='opqrstuvwxyz'; //OUR 2ND 12 CHAR SALT
$md5 = (md5($pass));
$hash1 = $salt1.$md5.$salt2;// SALT1-MD5-SALT2 COMBINED
$hash2 = strrev($hash1); //WE FLIP-REVERSE THE HASH
echo $hash2;//CHANGE TO RETURN
}//end func
private function unSalt($pass2)
{
$a1 = substr($pass2, -44); // WE STRIP THE FIRST 12 CHAR SALT
$b1 = strrev($a1); //WE UN-FLIP THE HASH
$md_5 = substr($b1, -32); // WE FETCH OUR ORIGINAL MD5 AND STRIP THE 2ND SALT
echo $md_5;//CHANGE TO RETURN
}//end func
}//end class
USAGE:
$password='razorback1';
$pass_data ='zyxwvutsrqpo82fad4f7115b8bee54e7c9245fa594dalkjihgfedcba';
$secure = new security;
$secure->addSalt($password);
echo'<br />';
$secure->unSalt($pass_data);
@paragonie-scott
Copy link
Author

https://3v4l.org/nr8GL - yes, so secure

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment