Rupom Razzaque - 2006-05-26 11:23:52
Hello All,
I like to talk a bit about the strength of the "Secure Password" class. Also I like to give a short decsription.
Short Description:
This technique -
1. Creates strong salt of given length
2. Makes that salt more strong by decoding it to binary data
3. Creates hash appending that salt to the output of secure hash algorithm - 1
(sha1)generated hash. Parameter of SHA1 in this case is (decoded salt + plainpassword)
4. In matching a password with a stored hash,
(i) The salt is extracted from given/stored hash and decoded first
(ii) Then sha1() is implemented on that salt + plain password
(iii) Then this hash is compared with the sha1() generated-hash portion of given/stored hash
Strength :
1. If no parameter is given, initSalt() generates random salt that eventually generates random password hash for the same plain password.
2. When password characters are only plaintext, attackers' job is easy. Use of base64_decode()
helps this technique generate more strong password since the hash contains binary data.
3. Changing the length of salt (saltLength), you can generate password of variable lengths(upto 70 characters).
This strengthens the password and makes attackers' job tough.
Regards,
MA Razzaque Rupom
