rmPass - Password Encoder
rmPass is a lightweight passwoder encoder (#hash) that creates a short packed binary: View Source Code.
I confess, I generally use the password generation program from the database to create passwords. In this project I am using SQLite3 which is light on such embedded functionality; I was preparing to use the PHP password_hash() program to generate the password hash.
PHP password_hash() currently creates a 60 character string and indicates that they might move to 72 character string to keep up with the ever expanding rainbow tables used to hack PHP's algorithm.
I agree that programmers need to be more attentive than ever to security, the use of a 72 character hash is a sign of a failing battle.
Since the hackers are going after industry standard programs. I think it wise to just build my own program. Hoping the hackers won't find it worth their time to break.
The goal of hashing is that, rather than storing user passwords, programs should store an imprint made from the password. If a hacker cracks a site a gets a database of passwords; the hacker will still have to do some work to figure out the passwords.
The stored password doesn't have to be long. It just has to be difficult to reassemble from the stored. It seems to me that the best way to beat rainbow tables is for different web sites to use different hashing programs. The View Source program lets you view my Password Generator. This form lets you test it.
The goal is to make an imprint of a password that is hard to reassemble. rmPass splits the bits from each character in the password and puts them in bins. It multiplies each bin by a prime. Adds the bins back together, then packs the data into a multibyte binary string for storage in the database. I seed the program with the user_id. Even if two people had the same password; the stored hash will be unique.
If someone hacks my database; they will be faced with a just a bunch of binary garble Even if the hacker gets all of the pieces of this puzzle. It is hard to reverse the combination of multiplication and addition.
Change for Security
I tend to change my password hashing algorithm regularly. My password table is a jumble of output from different algorithms. As hacking technology tends to outpace security technology, it is wise to built a system that allows the programmers to change the hashing program. My program stores the hash and an id used to create the hash. The login program looks up a user.
Of course, maintaining passwords is a pain in the rear. In my upgrade, I will use both direct login and an oauth login from twitter, google, yahoo, facebook and other major players.
You can leave comments about this code on my blog.