Php password hash

Programiranje
1

pokusavam napraviti hash sa pbkdf2 sha256 sa salt
uzeo sam kod sa stranice pbkdf2 i ubacio i sve, napravio reg obican sistem da vidim u bazi kako ce izgledat al uvijek kad upisem sifru znakovi su isti za sve sifre ?! npr za sifru 123456 ili forum ce biti isti znakovi u bazi

pomoc bilo kakva

evo cod

<?php
define(“PBKDF2_HASH_ALGORITHM”, “sha256”);
define(“PBKDF2_ITERATIONS”, 1000);
define(“PBKDF2_SALT_BYTE_SIZE”, 24);
define(“PBKDF2_HASH_BYTE_SIZE”, 24);
define(“HASH_SECTIONS”, 4);
define(“HASH_ALGORITHM_INDEX”, 0);
define(“HASH_ITERATION_INDEX”, 1);
define(“HASH_SALT_INDEX”, 2);
define(“HASH_PBKDF2_INDEX”, 3);

$host = “localhost”;
$usern = “root”;
$lozinka = “”;
$db = “drek”;

$hashedinput = hash(‘sha256’, $input);
$password = pbkdf2 (‘sha256’, $hashedinput, $salt, 10000, 64);
$user = $_POST[“user”];
$email = $_POST[“email”];

mysql_connect($host,$usern,$lozinka)or die(“nemrem”);
mysql_select_db($db) or die(“nemrem2”);

$check = mysql_query(“SELECT * FROM accounts WHERE user = '”.$user."’");
$usercheck = mysql_num_rows($check);
if($usercheck == 0){
$d = ‘INSERT INTO accounts (user, password, email) VALUES ("’.$user.’", “’.$password.’”,"’.$email.’" )’;
mysql_query($d) or die (mysql_error());
if($d)
die(“Success! Please login to play!”);
}else{
die(“User already exists!”);
}

function create_hash($password)
{
// format: algorithm:iterations:salt:hash
$salt = base64_encode(mcrypt_create_iv(PBKDF2_SALT_BYTE_SIZE, MCRYPT_DEV_URANDOM));
return PBKDF2_HASH_ALGORITHM . “:” . PBKDF2_ITERATIONS . “:” . $salt . “:” .
base64_encode(pbkdf2(
PBKDF2_HASH_ALGORITHM,
$password,
$salt,
PBKDF2_ITERATIONS,
PBKDF2_HASH_BYTE_SIZE,
true
));
}
function validate_password($password, $correct_hash)
{
$params = explode(":", $correct_hash);
if(count($params) < HASH_SECTIONS)
return false;
$pbkdf2 = base64_decode($params[HASH_PBKDF2_INDEX]);
return slow_equals(
$pbkdf2,
pbkdf2(
$params[HASH_ALGORITHM_INDEX],
$password,
$params[HASH_SALT_INDEX],
(int)$params[HASH_ITERATION_INDEX],
strlen($pbkdf2),
true
)
);
}
// Compares two strings $a and $b in length-constant time.
function slow_equals($a, $b)
{
$diff = strlen($a) ^ strlen($b);
for($i = 0; $i < strlen($a) && $i < strlen($b); $i++)
{
$diff |= ord($a[$i]) ^ ord($b[$i]);
}
return $diff === 0;
}

function pbkdf2($algorithm = ‘sha256’, $password, $salt, $count = ‘1000’, $key_length = ‘128’, $raw_output = false)
{
$algorithm = strtolower($algorithm);
if(!in_array($algorithm, hash_algos(), true))
trigger_error(‘PBKDF2 ERROR: Invalid hash algorithm.’, E_USER_ERROR);
if($count <= 0 || $key_length <= 0)
trigger_error(‘PBKDF2 ERROR: Invalid parameters.’, E_USER_ERROR);
if (function_exists(“hash_pbkdf2”)) {
// The output length is in NIBBLES (4-bits) if $raw_output is false!
if (!$raw_output) {
$key_length = $key_length * 2;
}
return hash_pbkdf2($algorithm, $password, $salt, $count, $key_length, $raw_output);
}
$hash_length = strlen(hash($algorithm, “”, true));
$block_count = ceil($key_length / $hash_length);
$output = “”;
for($i = 1; $i <= $block_count; $i++) {
// $i encoded as 4 bytes, big endian.
$last = $salt . pack(“N”, $i);
// first iteration
$last = $xorsum = hash_hmac($algorithm, $last, $password, true);
// perform the other $count - 1 iterations
for ($j = 1; $j < $count; $j++) {
$xorsum ^= ($last = hash_hmac($algorithm, $last, $password, true));
}
$output .= $xorsum;
}
if($raw_output)
return substr($output, 0, $key_length);
else
return bin2hex(substr($output, 0, $key_length));
}
?>

2

Prvo što mi je upalo u oći je to da ti radiš password kroz funkciju pbdkf2 kroz koju puštaš određene parametre, a jedan od tih parametara, $salt, nije nigdje definiran.

Drugo što mi je upalo u oko je to da ti password koji si poslao preko forme u nijednoj od ovih gore funkcija neupotrebljavaš pa ti onda naravno neće niti biti ništa drugo u bazi nego ono što ti je funkcija pbkdf2 vratila.

3

$salt = mcrypt_create_iv(16, MCRYPT_DEV_URANDOM);
ovo za salt

a kad bi ubacio $password = $_POST[“password”]; onda se nebi nista dogadalo sifra bi bila onakva kakvu bi upiso…
ne znam kako da $password = $_POST[“password”]; ubacim

a sto bi trebo za $input, kako da to definiram

4

Taj $input ti i je zapravo lozinka iz forme.

$input = $_POST[‘password’];

5

PHP 5.5 ima ugrađenu funkciju za hash lozinki - password_hash

$hash = password_hash("nekalozinka", PASSWORD_DEFAULT);
if (password_verify('nekalozinka', $hash)) {
    echo 'Password is valid!';
} else {
    echo 'Invalid password.';
}

http://php.net/manual/en/function.password-hash.php

6

hvala vam ! sad sam napravio kako treba, ali kad maknem salt za svaku lozinku mi opet isti znakovi, a kad stavim salt onda za svaku drugaciju,

pa se pitam jel mora biti tako bez salta ?