RM - Source Code View

Source Code Viewer

This page lets you view source code from my server. The program uses a brute force code formatter to color code elements. NOTE: I wrote this program while trying to learn the vim text editor. This is not my usual coding style.

Use this select box to select a file.

Hide Lines Numbers

View: rmPass Password Hash

A short hashing algorithm that outputs a binary string

Formatted Code

Below is the code all formatted with bright colors. The program links to files opened with include() and expands those opened with require(). Clicking on the require line should change visibility.

rmPass Password Hash

001 <!DOCTYPE html> 002 <html lang="en"> 003 <?php 004 include('/var/www/php/rmHead.php'); // links to 1 005 /** 006 * rmPass generates a binary string imprint (hash) of a password. I wrote 007 * this because PHP password_hash() produces a 60 character string 008 * (which is excessively long in my opinion. I will store the "PRIMES" 009 * in a secured directory. 010 * 011 * @package ResourceModel 012 * @see https://yintercept.com/resources/password.php for output. 013 * Feel free to leave comments on my blog: 014 * @see http://blog.yintercept.com/2016/01/password-program.html 015 * @copyright 2016 kd 016 */ 017 class rmPass { 018 // BIG_NUM need not be prime. the primes must between BIG_NUM/2 and BIG_NUM 019 const BIG_NUM = 99264288; 020 const PRIMES = [69294283,69296663,71270663,68464943,68466439,71453269]; 021 // Note, I use different primes on my production system. 022 private $bins = [7,11,23,29,35,53]; // we will split the data into six bins. 023 // bPos and depth are used to populate the bins. 024 private $bPos = 0; 025 private $depth = 0; 026 private $seedArr = array(); // we will multipy the seed by primes. 027 public $packed = null; // this is the return value. 028 029 public $valA=0; // used to display calculated hash in this test 030 public $valB=0; 031 private function popBins($test) { 032 if ($test) { 033 $this->bins[$this->bPos] += (1 << $this->depth); 034 } 035 $this->bPos++; 036 if ($this->bPos > 5) { 037 $this->depth++; 038 $this->bPos = 0; 039 } 040 } 041 /** 042 * The constructor generates a password from a seed and a string 043 * @param integer seed is a unique id for the password. 044 * @param string The password is a string. 045 */ 046 public function __construct($seed, $str) { 047 // Most passwords, I encounter use ASCII characters between 048 // chr(32) & chr(126); modulo div by 94 gives a nice distribution of bits 049 // As most languages cluster letters, this works for other languages. 050 $sLen = mb_strlen($str); 051 // then multiply by a prime` 052 for ($i=0; $i<6; $i++) { 053 $seedArr[$i] = (self::PRIMES[$i]*$seed)%self::BIG_NUM; 054 } 055 echo '<b>Seeded Primes</b>:<br />'.implode('-',$seedArr); 056 $i=0; 057 echo PHP_EOL.'<b>Characters</b>'.PHP_EOL; 058 for ($i=0; $i<$sLen; $i++) { 059 $chr = mb_substr($str,$i,1); 060 if (strlen($chr)==1) { 061 $oVal = ord($chr) %94; 062 // the echo statementa are for display. Remove for production systems. 063 echo $oVal.' '; 064 } else { 065 // I assume last chr of a multibyte char is most interesting. 066 $oVal = ord($chr[strlen($chr)-1]) %94; 067 echo $oVal.'+ '; 068 } 069 for ($j=0; $j<7; $j++) { 070 $this->popBins($oVal >> $j & 1); 071 } 072 } 073 // Now let's shuffle the bins. 074 for ($i=0; $i<6; $i++) { 075 // 2^30-1 has 29 oes. The bit-and keeps product under PHP_INT_MAX 076 if ($this->bins[$i] > 1073741824) $this->bins[$i] = $this->bins[$i] & 1073741823; 077 $this->bins[$i] *= $seedArr[$i]; 078 } 079 echo PHP_EOL.'<b>bins</b>'.PHP_EOL; 080 print_r($this->bins); 081 // my production system combines these last three lines into one. 082 $this->valA = ($this->bins[0] ^ $this->bins[2])+$this->bins[4]; 083 $this->valB = ($this->bins[1] ^ $this->bins[5]) + $this->bins[3]; 084 $this->packed = pack('qq',$this->valA,$this->valB); 085 } 086 } 087 ?> 088 <head> 089 <meta charset="UTF-8" /> 090 <meta name="viewport" content="width=device-width, initial-scale=1" /> 091 <meta name="Author" content="Kevin Delaney" /> 092 <meta name="keywords" content="php password alternative" /> 093 <meta name="description" content="This is a test program for creating an imprint of a password." /> 094 <title>PHP Hash Algorithm Outputting Binary Data</title> 095 <link rel="canonical" href="https://yintercept.com/resources/password.php" /> 096 <link rel="stylesheet" href="rm.css" type="text/css"> 097 </head> 098 <body> 099 <div class="ad"> 100 <script async src="//pagead2.googlesyndication.com/pagead/js/adsbygoogle.js"></script> 101 <!-- yintercept - responsive goodle ad --> 102 <ins class="adsbygoogle" 103 style="display:block" 104 data-ad-client="ca-pub-7057064824800338" 105 data-ad-slot="4504818749" 106 data-ad-format="auto"></ins> 107 <script> 108 (adsbygoogle = window.adsbygoogle || []).push({}); 109 </script> 110 </div> 111 <header> 112 <div id="pageTitle"> 113 <a href="https://yintercept.com/resources">The Resource Model for Web Design</a> 114 </div> 115 </header> 116 <div class="main"> 117 <h2>rmPass - Password Encoder</h2> 118 <p><b>rmPass</b> is a lightweight passwoder encoder (#hash) that creates a short packed binary: <a href="https://yintercept.com/resources/view.php?script=12#code">View Source Code</a>.</p> 119 <p>I confess, I generally use the password generation program from the database to create passwords. In this project I am using SQLite3 which is light on such embedded functionality; I was preparing to use the PHP <a href="http://php.net/manual/en/function.password-hash.php">password_hash</a>()</a> program to generate the password hash.</p> 120 <p>PHP password_hash() currently creates a 60 character string and indicates that they might move to 72 character string to keep up with the ever expanding rainbow tables used to hack PHP's algorithm.</p> 121 <p>I agree that programmers need to be more attentive than ever to security, the use of a 72 character hash is a sign of a failing battle.</p> 122 <p>Since the hackers are going after industry standard programs. I think it wise to just build my own program. Hoping the hackers won't find it worth their time to break.</p> 123 <p>The goal of hashing is that, rather than storing user passwords, programs should store an imprint made from the password. If a hacker cracks a site a gets a database of passwords; the hacker will still have to do some work to figure out the passwords.</p> 124 <p id="pform">The stored password doesn't have to be long. It just has to be difficult to reassemble from the stored. It seems to me that the best way to beat rainbow tables is for different web sites to use different hashing programs. The <a href="https://yintercept.com/resources/view.php?script=12#code">View Source</a> program lets you view my Password Generator. This form lets you test it.</p> 125 <form action="https://yintercept.com/resources/password.php#pform" method="post"> 126 <table style="margin: 8px auto 8px auto"> 127 <tr><th colspan=2"><h3>Password Test</h3></th></tr> 128 <tr><td class="prompt">Numeric Seed</td><td class="cell"><input name="seed" type="number" min="1" max="2000" value="101" /></td></tr> 129 <tr><td class="prompt">Password</td><td class="cell"><input type="text" name="pwd" /></td></tr> 130 <tr><td class="prompt"></td><td class="cell"><input type="submit" name="btn" value="Test Password" /></td></tr> 131 </table> 132 </form> 133 <?php 134 // Produce the output for the form. 135 if (isset($_POST['btn'])) { 136 $seed = filter_input(INPUT_POST,'seed',FILTER_VALIDATE_INT); 137 $pwd = (isset($_POST['pwd']))? $_POST['pwd'] : ''; 138 if ($seed and $pwd != '') { 139 echo PHP_EOL.'<div style="margin: 8px 5% 8px 5%; padding: 5px; background-color: #eed; border: 1px dashed #777"><h3>Password Hash</h3> 140 <p><b>Seed</b> = '.$seed.',<br /><b>password</b>='.$pwd.'</b></p>'; 141 echo '<p>echo statements from the object say:</p> 142 <pre>'; 143 $pw = new rmPass($seed,$pwd); 144 echo PHP_EOL.'</pre>'; 145 echo PHP_EOL.'<p>Unpacked hash is '.$pw->valA.'.'.$pw->valB.'</p>'; 146 echo PHP_EOL.'<p>Packed hash is '.strlen($pw->packed).' characters</p>'; 147 echo PHP_EOL.'<p>It looks like: '.$pw->packed.'</p>'; 148 echo PHP_EOL.'</div>'; 149 } 150 } 151 logHit(0,0); 152 ?> 153 <p>The goal is to make an imprint of a password that is hard to reassemble. <b>rmPass</b> splits the bits from each character in the password and puts them in bins. It multiplies each bin by a prime. Adds the bins back together, then packs the data into a multibyte binary string for storage in the database. I seed the program with the user_id. Even if two people had the same password; the stored hash will be unique.</p> 154 <p>If someone hacks my database; they will be faced with a just a bunch of binary garble Even if the hacker gets all of the pieces of this puzzle. It is hard to reverse the combination of multiplication and addition.</p> 155 <h3>Change for Security</h3> 156 <p>I tend to change my password hashing algorithm regularly. My password table is a jumble of output from different algorithms. As hacking technology tends to outpace security technology, it is wise to built a system that allows the programmers to change the hashing program. My program stores the hash and an id used to create the hash. The login program looks up a user.</p> 157 <h3>Using OAuth</h3> 158 <p>Of course, maintaining passwords is a pain in the rear. In my upgrade, I will use both direct login and an oauth login from <a href="https://twiter.com/yintercept">twitter</a>, google, yahoo, facebook and other major players.</p> 159 <p>You can leave comments about this code on <a href="http://blog.yintercept.com/2016/01/password-program.html">my blog</a>.</p> 160 </div> 161 <p style="text-align: center"><a href="https://irivers.com" style="color: #eea">iRivers</a> 162 ~ <a href="http://blog.yintercept.com" style="color: #eea">blog</a> 163 ~ <a href="http://tumblr.imoab.com" style="color: #eea">>Moab Photos</a> 164 </p> 165 </body> 166 </html>

Use "view source" from your browser to grab the output. Feel free to link to this project and check out the Resource Model for information on PHP coding or my tumblr blog for picture of Arizona, Colorado or Utah.

File last modified at January 20 2020 07:55:31.. This page has been viewed 5384 Times.

blog ~ Resource Model ~ links