Hi,
On my websites, I encrypt passwords using a combination of hashing algorithm (Which I am obviously not going to post on a forum but its along the lines of md5(substr(whirlpool($Value), 0, 7)); )
What is blowfish, how do I use it and how much more secure is it than a function as shown above?
Regards,
Sam Rudge
Hey.
I was under the impression that Blowfish was an encryption cipher, not a hashing algorithm?
Encryption usually allows for decryption, while hashing does not, and I believe Blowfish does allow for decryption. (Although, now that I think about it, I am not entirely sure on that point.)
In any case, the answer to the question of "how much more secure is it" won't have a simple and undisputed answer, as this is a very complex topic.
Lets just say that for the foreseeable future, you will be pretty safe with either Blowfish or a couple of iterations of a salted hashing algorithm, given that you aren't still using MD5 or SHA1 :-]
As Atli says, Blowfish is an encryption cipher, not a hashing algorithm.
It is in the mcrypt library (http://php.net/manual/en/book.mcrypt.php)
There was a whole thread a while back discussing passwords and some good methods. I'll see if I can find it...
EDIT:
Thread is here:
http://www.daniweb.com/forums/showthread.php?t=178241
OK thanx, I think I will stick with my current method of lots of salts (In the actual function I use about 5 different algorithms)
Hi,
On my websites, I encrypt passwords using a combination of hashing algorithm (Which I am obviously not going to post on a forum but its along the lines ofmd5(substr(whirlpool($Value), 0, 7));)What is blowfish, how do I use it and how much more secure is it than a function as shown above?
Regards,
Sam Rudge
Why not just save the whole hash generated by whirlpool? Using md5 effectively reduces the size of the hash, making it easier to guess (find collisions).
Taking a substr() of 7 characters makes it very insecure. You've effectively made the password a 7 character string composed of 0-9 and a-f. (hexadecimal).
This makes guessing the password less then 16^7 possibilities, which is very insecure. A single machine would guess it in less then an hour. A rainbow table, a few seconds.
I've updated the linked thread with a few tips:
http://www.daniweb.com/forums/thread178241.html
You can actually use blowfish, enough though it is a cypher. Part of its algorithm is used in BCrypt (http://www.usenix.org/events/usenix99/provos/provos_html/node1.html) which is the password hashing function in OpenBSD.
The reason is that blowfish uses 4Kb of RAM when processing keys. Thus you can make it process a large number of keys, in order to make sure your algorithm uses a large amount of ram.
Say you want to use 1MB for each hashing function. You could generate 1000/4 keys, and feed them into blowfish then rehash. Note this isn't to encrypt the password, you just want to take up 1MB of RAM, so that anyone trying a brute force attack on the hashes requires 1MB for each hash which is unfeasible for them.
You however, can afford 1MB since logins are not a bottleneck on web applications. Things like disk and network IO usually are.
We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.