Here's a little function I wrote for use in one of my projects:



function Protect($string, $salt = "FGTERTYBE5434576876897RETBREY"){
$string = str_rot13(hash("whirlpool", $salt . str_rot13($string)));
Return $string;

Usage:

Hashing with the default salt:

Protect("PAssw0rd");

Hashing with a custom salt:

Protect("PassW0rd", "MYsA1t");

Enjoy. :)

I really don't see why you posted this..? You just usedstr_rot13 and the hash function withwhirlpool.. you didn't write the hashing, you just wrote a function to call it..

I really don't see why you posted this..? You just usedstr_rot13 and the hash function withwhirlpool.. you didn't write the hashing, you just wrote a function to call it..

Which is less time consuming:


$string=str_rot13(hash("whirlpool", "My Salt Here" .str_rot13("My Password")));

OR:


$String = Protect("My Password", "My Salt Here");

Which is pointless? Yours. Why are you shifting the characters any way? Anyone who knows that they are shifted will be able to just reverse the shifting and it's back to being pointless.

I suggest you take a few minutes to read up on encryption and hashing algorithms and learn a tad bit before showing off things that are pointless.

Which is pointless? Yours. Why are you shifting the characters any way? Anyone who knows that they are shifted will be able to just reverse the shifting and it's back to being pointless.

I suggest you take a few minutes to read up on encryption and hashing algorithms and learn a tad bit before showing off things that are pointless.

By your reasoning, you might as well store passwords in plain text. Sure, if you knew you it was shifted you can reverse it for the second shift, but not for the first shift.

[@]@triston220[/@] It's good to see you're investing time in securing your scripts, I take it you're still learning and that's fine. If you want to protect user passwords further you could look into adding a salt, or reading up on encrypting and hashing (stackoverflow is usually a good place to see how other folks secure data, something like this http://stackoverflow.com/questions/3897434/password-security-sha1-sha256-or-sha512) good luck :)

I'd also pay no attention to how dentafrice worded his post. He means well I'm sure, I think he probably just doesn't realize that the way he worded his post sounds slightly rude/arrogant.

[@]@triston220[/@] It's good to see you're investing time in securing your scripts, I take it you're still learning and that's fine. If you want to protect user passwords further you could look into adding a salt, or reading up on encrypting and hashing (stackoverflow is usually a good place to see how other folks secure data, something like this http://stackoverflow.com/questions/3897434/password-security-sha1-sha256-or-sha512) good luck :)

I'd also pay no attention to how dentafrice worded his post. He means well I'm sure, I think he probably just doesn't realize that the way he worded his post sounds slightly rude/arrogant.

Thanks. The script does use a salt though. :) Encryption is defiantly a viable option though.

Of course I mean well.

Anyways, the rotation is pointless and stupid. Trust me. You're using whirlpool and a salt, that's good enough. If someone gets access to your database, in most cases they will most likely already or in the future have access to your files and program code.

Meaning:

1) They have found a vulnerability in your site, have access to your files and read a configuration file to find MySQL details and then dump your database.

2) They have FTP and are using it maliciously to now read your configuration file and dump your database.

3) They have found exploits and now have access to your database and may or may not eventually get your files.

So either way, the algorithm in your program's code of shifting the string is pointless.. stick with a GOOD user-variable'd salt and a good hashingalgorithmand that's all you need.

It's obvious you're just young and learning, and do not really know a lot about PHP, encryption, hashing, or security. That's fine. But take my word for it when I tell you things... I've been there, done that, too many times in my near decade of programming.

Of course I mean well.

Anyways, the rotation is pointless and stupid. Trust me. You're using whirlpool and a salt, that's good enough. If someone gets access to your database, in most cases they will most likely already or in the future have access to your files and program code.

Meaning:

1) They have found a vulnerability in your site, have access to your files and read a configuration file to find MySQL details and then dump your database.

2) They have FTP and are using it maliciously to now read your configuration file and dump your database.

3) They have found exploits and now have access to your database and may or may not eventually get your files.

So either way, the algorithm in your program's code of shifting the string is pointless.. stick with a GOOD user-variable'd salt and a good hashingalgorithmand that's all you need.

It's obvious you're just young and learning, and do not really know a lot about PHP, encryption, hashing, or security. That's fine. But take my word for it when I tell you things... I've been there, done that, too many times in my near decade of programming.

SQLi = Access to database.
Shelling = Access to files, and therefore the database too.

It all depends on the exploit used. If it's been SQL injected, (Which, hopefully it won't have been, if you sanitize your input) an intruder wouldn't know it's been rotated. This would delay, or fully prevent, reversal of the original input.

It would delay. Rotational patterns have always been found and identified. Since the earliest of caesarciphers. Might as well give up, not going to win, kid.

It would delay. Rotational patterns have always been found and identified. Since the earliest of caesarciphers. Might as well give up, not going to win, kid.

After some time, it would be discovered. But that extra time given may just be enough to for a site admin to figure something's up. Patronizing me is rather rude if I'm honest.

My goal really isn't to be nice, so I achieved my point.

My goal really isn't to be nice, so I achieved my point.

So what exactly is your goal?

For you to learn a little bit ;) You'll realize that my arrogance comes from years of experience. Listen to what I say and you'll learn something.

Just ask Matt (Source) where my arrogance comes from.

For you to learn a little bit ;) You'll realize that my arrogance comes from years of experience. Listen to what I say and you'll learn something.

Just ask Matt (Source) where my arrogance comes from.

But I haven't learn anything really. :S Why shouldn't a rotation function be used to deter attacks?

Sure, you can do it.. just like you can add five salts $salt . $salt . $password . $salt . $salt. Sure, it can deter people.. but it's pointless.

Sure, you can do it.. just like you can add five salts $salt . $salt . $password . $salt . $salt. Sure, it can deter people.. but it's pointless.

Why is that? Surly the extra millisecond it takes to execute is worth the potential hours it would add to a bruteforce attack?

To a brute force attack yes. Not to an attack where you know how it works, know the salt, and are attempting to just reverse it.. nope.. no help there ;)

I'm not arguing anymore. It's a pointlessargumentand a pointless function.

To a brute force attack yes. Not to an attack where you know how it works, know the salt, and are attempting to just reverse it.. nope.. no help there ;)

I'm not arguing anymore. It's a pointlessargumentand a pointless function.

I'm not wanting to argue either, I want to learn more. I want to know why I shouldn't bother. As long as you check for shells etc., you shouldn't have that issue. The function is useful in-case of a database, but not webserver, compromise. At the very least, you could remove the rotation function call and it would still save you time.