[PHP] Simple Hash Generator

[AoN]

Over the years, I'm created, God knows how many, custom hashing functions for password and sensitive information protection. For the most part, it's relatively easy to set-up one, but that also depends on your familiarity with them.

To help out a co-worker, I went ahead and made this quick generator that'll create a hash using either letter or number substitution. It also gives several "enhancements" which utilize MD5 and multiple uses of the hash. Bare in mind, this is a VERY simple method of hashing, and is only secure so long as your hash array remains unknown to unauthorized personnel. Anyways, here it is:

Simple Hash Generator

Let me know what yall think. ^^

 

[AceInfinity]

You can do things like this all day but it really doesn't add much benefit over computational expensiveness, when it comes down to the end-user security IMO when you do this any more than a couple times:

$password = strtr($string, $encrypt);                              // If using Hash of String, comment out the other $password declaration
 $password = MD5(strtr($string, $encrypt));                         // If using MD5 of Hash of String, comment out the other $password declaration
 $password = strtr(MD5(strtr($string, $encrypt)), $encrypt);        // If using Hash of MD5 of Hash of String, comment out the other $password declaration
 $password = MD5(strtr(MD5(strtr($string, $encrypt)), $encrypt));

Also, $alphabet and $key can be strings, no need for those arrays. You can convert them to arrays using str_split() anyways.

$alphabet = str_split('ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz1234567890!@#$%^&*()');
$key      = str_split('(Eh%X^imcqFZLyBkAR283@49gOrdKYIo#jQu*MNWTUn)v1!5$tfzxsP&DbJlG0Saew7V6HCp');

 

[Laxer]

A bit to add to Ace's comment.

If you're going to encrypt multiple times you might as well add a salt to the mix.

Other than than looks good.

encrypting multiple times is fine but, does little benefit to security if they also know the encryption algorithm.

 

[AceInfinity]

Every programmer should have a bag of salt when it comes to hashing algorithms to which they can use. :) It's a necessary ingredient in my most humble opinion...

 

[AoN]

Well, given what they wanted, this does what they wanted and it was quicker for my to do auto-formatting on the array they provided. As for adding salt, I agree. They only wanted to multiple character substitution, I tossed in the MD5 as a "bonus" in case they changed their mind. It won't be difficult to adjust it to add salt or do a str_split on the output instead of the array. I'll update it tomorrow at work.

 

[Laxer]

Well, given what they wanted, this does what they wanted and it was quicker for my to do auto-formatting on the array they provided. As for adding salt, I agree. They only wanted to multiple character substitution, I tossed in the MD5 as a "bonus" in case they changed their mind. It won't be difficult to adjust it to add salt or do a str_split on the output instead of the array. I'll update it tomorrow at work.

It's interesting they don't want something more secure.

Most people now days suggest ditching MD5 for something stronger like from the SHA family.

I guess you do what you can, interesting all the same. Thanks for sharing :thumbsup2:

 

[AoN]

I agree, but this was something they were asked to do extra to their regular work. I'm not TOO surprised they aren't concerned. Being overworked and underpaid is a standard practice these days. I've been denied a second job for about a month now, and I won't make rent without one. ^^'

My troubles aside, I made this into a generator because I haven't found one that actually does this, though I haven't put TOO much effort into looking. It's basically just something to pass the time and reintroduce me to PHP (since I haven't been able to use it in a few years).

Now, I've updated the generator to use and output the arrays as str_split strings. It also produces output using MD5 and SHA1 individually, in conjunction with each other, and doubling up the hashing/encryption. Next, I'll look at combining the letter/number hashing. Not a difficult thing to do, just time-consuming. Thankfully, while I'm at work I have the time. Outside of work, I'm looking for a second job. ^^'

 

[AoN]

Alright, so I've added a letter/number combo and SHA256.

I'm going to leave it like this for a while. When next I come back to this, I'll work on building a UI to allow a user to "build" the output by selecting the hashing/encryption they want and the order in which they want it. That'll significantly reduce the displayed output and allow me to more easily incorporate all the possible default encryption methods, including legacies like MD2.

Anyways, I might get back to it later today, if I'm feeling up to it, but I'm a bit tired of looking at the same code repeated some many times. I am looking forward to building this UI, though. I've never needed to incorporate dynamically generated content with PHP, so it should be fun. :)

 

[AoN]

Alright, so I've added quite a bit of "functionality". Users can supply a demo password and as many hashes as is supported by PHP. I dynamically generated the jQuery that dynamically generates the hash selectors by using hash_algos() to pull all the available hashes supported by my servers current version of PHP, 5.2.17.

Upon submission, it verifies that there is at least one hash and a demo password, though I'll remove the need for a demo password (make it optional) after I've fixed my one bug (that I'm aware of). There is already code in place to retain the password in case the form is submitted without adding a hash. I'll add the same for the dynamically generated hash selectors, after I get my bug fixed.

The output works fine, with one exception. I can't get the bloody thing to run the letter/number hashing of the demo password, and I can't figure out why. I'll try to keep the code I put up here for this simple by only putting up where there's a problem.

Everything in my code works up to an if...then...else statement I have for generating the demo password hash (eval() just didn't want to work, also because of the letter/number hashing). Here's the statement:

     $hashName = strtolower(str_replace(",", "", str_replace(" ", "", $hashList[$j][0])));
     if($hashName == 'letterhashing')
     {
      $hashed = strtr($hashed, $letters);
     }
     else if($hashName == 'numberhashing')
     {
      $hashed = strtr($hashed, $numbers);
     }
     else if($hashName == 'md5')
     {
      $hashed = md5($hashed);
     }
     else if($hashName == 'sha1')
     {
      $hashed = sha1($hashed);
     }
     else if($hashName == 'crc32')
     {
      $hashed = hash('crc32', $hashed);
     }
     else
     {
      $hashed = $hashName($hashed);
     }

Basically, for the hashes that have a function by default in PHP, I've just done a straight hash. For the other supported hashes that don't have their own function, I've dynamically generated functions for each one and they are then called. In the case of the letter/number hashing, I just ran the strtr() instead of bothering with anything else. Now, I've verified by added prompts, alerts, echos, etc. that the $hashName is 'letterhashing' after applying the formatting, but it will not acknowledge in the comparison. All the other comparisons work, md5, sha1, and crc32, but letterhashing and numberhashing won't work. I've even copied the output of the prompts directly into the code to ensure it matches the output, but nothing changed.

I know the issue is with the comparisons because the strtr() runs if I put it outside the if statement, and the prompts I put direct before the if do not pop when put directly after the if.

I've tried substituting for strcasecmp() and redeclaring the $hashName variable immediately before the if, but to no avail.

There appears to be no shortage of people have similar issues, but every case I've looked at (well over 50) was a bloody typo somewhere, or they just weren't doing it right. I know my code should work, but it's not.

Here's a Ideone that shows that the code works when I rip it out of everything else: Ideone.com - HFxZFs - Online PHP Interpreter & Debugging Tool

Any ideas?



Edit:
Oh, the link to the version of the generator I'm working on is: http://zrift.com/Login Hash/index2.php

 

[AoN]

Ah, figured it out.

I broke it down, step-by-step, to see what the problem was. I'm not sure why, but it was wrapping the $hashed variable in single quotes before hashing. In the other forms of hashing, that wouldn't be a problem, but my strtr() doesn't support single quotes, and even if it had, the results was be tampered with by wrapping it. So, I added str_replace() as part of the for loop in order to strip it away.

Now, I'm playing around with jQuery to combine validation and post to the PHP, but the .post() doesn't want to work, and .ajax() keeps disabling the dynamic fields. bleh.

 

[AoN]

Yeah, I figured out the jQuery bit fairly quickly after a not-so-good nights sleep. ^^

So, I've updated the code, all around, removing the dynamically generated functions I had previously mentioned for just updating it in the if...then...else that was previously troubling me. I've added a salt generator, a link back to the first page to start again, Base64 encoding, and some messages from the sponsor.

Since I've fixed all the bugs I found with my updated version, I have renamed the files so that v0.4.1142 (current version) is not the index: http://www.zrift.com/Login%Hash/.

Obviously, I haven't tested EVERY possible combination, but that's because there's just so many! I have done hashes with all the formats, all formats with Base64, all formats with salt, all formats with Base64 and salt, all formats in the same string, all formats in the same string with Base64, all formats in the same string with salt, and all formats in the same string with Base64 and salt. Hopefully, that is enough, but there's always the possibility that something won't work between two parts that works with three. ^^'

So, let me know what yell think. I fully intend to keep updating this. It was primarily a project to help refresh my basic PHP, throw in a little jQuery, and yeah! There are several other projects I want to do, like building my new website, that will likely take priority over this, but I don't intend to forget about it. ^^

 

[AoN]

v0.5.393 is not live!

Changelog:

• Added ability to remove an individual entry without losing other entry data
• Added ability to specify a fixed salt AND a dynamic salt
  • Fixed salt will be used for ALL selections of fixed salt
  • Dynamic salt will be used for ALL selection of non-fixed salt
• Replaced the dynamic salt with a randomly generated salt from the list of approved characters (this way salt can be shuffled properly within the substitution options)
• Added version number to bottom of the page
• Added notes explaining the substitution options
• Added suggestions/feedback link (e-mail) to page

For now, I'm calling it quits on this project, unless anyone gives me a suggestion to implement, it's well beyond what I had originally intended, though it's been plenty of fun. :)

Please, feel free to spread to page around. There's currently no ads, but if I start seeing a bandwidth increase I'll know it's an opportunity.

 

[Laxer]

v0.5.393

How on earth did you get this version number? :lolg:

Looks good though Chris.

 

[AoN]

Save counter.

I used implementation of major changes to the code to represent a subversion and the number of saves to represent the build number.