PHP Developers Network
http://forums.devnetwork.net/

PHP and Whirlpool Encryption
http://forums.devnetwork.net/viewtopic.php?f=34&t=133324
Page 1 of 1

Author:  cx_newton [ Wed Dec 07, 2011 5:02 am ]
Post subject:  PHP and Whirlpool Encryption

Hi there everyone, I'm new year and after browsing the internet for the answer to my troubles i think this is my final resort.

I'm currently working on a web interface system for a client that allows users to login, view manage and control user accounts that are called from a MySQL database. Everything is written and ready to go live bar 1 major function. The secure login.

I currently have a login script that simply runs of plain text for the purpose of development but now that the system is ready to go live i need to get this system working. So here are the details.

The login system , like most, collects the information from the login form and forwards it to loginscript.php. Once there it needs to encrypt the attempted password and compare it to the stored password. This is where i am having the issues.

I need help with the encryption on the attempted password. The stored passwords are encrypted in whirlpool using a 128 character hash.

If there is someone here who has any knowledge in this area I will be truly grateful,

Thanks for reading,

Callum

Author:  Weirdan [ Wed Dec 07, 2011 5:22 am ]
Post subject:  Re: PHP and Whirlpool Encryption


Author:  social_experiment [ Wed Dec 07, 2011 5:42 am ]
Post subject:  Re: PHP and Whirlpool Encryption


This might be useful to you

Author:  cx_newton [ Sun Dec 11, 2011 3:22 pm ]
Post subject:  Re: PHP and Whirlpool Encryption

@Weitdan The Major issue im having is i don't know where to start, as i stated i have my login script and i have my whirlpool encrypted passwords, i just don't know how to encrypt the $_POST['username'] and the fact we have a custom 128 character custom hash

Author:  social_experiment [ Sun Dec 11, 2011 4:13 pm ]
Post subject:  Re: PHP and Whirlpool Encryption

Syntax: [ Download ] [ Hide ]
string hash ( string $algo , string $data [, bool $raw_output= false ] )

That is how you would hash your $_POST received value; substituting $algo with whirlpool and $data with $_POST['username']

Author:  faarigia [ Mon Feb 16, 2015 7:05 am ]
Post subject:  Re: PHP and Whirlpool Encryption

Thanks for your reply. Pardon my n00bness. If my data were attacked, the attacker would also have access to the script, and thus the salt. So how would the hash of salt+password be more secure?

So you're saying I should replace the key with hash('sha256', 'asdf324!.#qQ' . $password)?

Author:  Celauran [ Mon Feb 16, 2015 7:29 am ]
Post subject:  Re: PHP and Whirlpool Encryption

The main benefit of a salt is to protect against rainbow table lookups. Even an application-wide random salt is going to change all the hashes, so their list of known hashes no longer works. Per-user salts confound that even more. You're right in assuming that with access to your salts, your hashes, and enough time, an attacker will be able to work out your passwords. This is where Blowfish and the concept of a work factor begin to shine. You simply make it so computationally expensive to try to brute force your passwords that is becomes not worth their time. tl;dr .

Page 1 of 1 All times are UTC - 5 hours
Powered by phpBB® Forum Software © phpBB Group
http://www.phpbb.com/