[TYPO3-english] Creating a salted MD5 password fails

Steffen Gebert steffen.gebert at typo3.org
Wed Apr 9 08:57:37 CEST 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Marc,

> When I call the getHashedPassword() Method 3 times in a row I get
> 3 different results and none of them matches the hash in the DB.

Nope, that's correct. That's exactly the idea of salting a password.
The salt is that part of uncertainty that makes a salted password more
secure than one that is only hashed.
You can check the correctness of a password by calling the crypt()
function with the clear-text password to check and the stored hash
(that includes the salt). crypt() will then tell you, if the password
given is the same that was used to generate the salted hash.

I created some slides long time ago, but maybe they help you for
further understanding that concept:
http://www.slideshare.net/StephenKing/secure-password-storing-with-saltedpasswords-in-typo3

Kind regards
Steffen

- -- 
Steffen Gebert
TYPO3 Server Administration Team Member

TYPO3 .... inspiring people to share!
Get involved: http://typo3.org

My wish list:
https://www.amazon.de/registry/wishlist/922E3JYSQ7CV/ref=cm_wl_sb_v?sort=priority

On 08/04/14 17:57, Marc Klein wrote:
> 
> Hi,
> 
> I'm trying to generate a salted MD5 password in a eID script and
> doing something wrong :-(. When I call the getHashedPassword()
> Method 3 times in a row I get 3 different results and none of them
> matches the hash in the DB.
> 
> ---- protected function saltPassword ( $password ) { 
> $saltedPassword = ''; echo $password . ' || '; 
> $saltedpasswordsInstance = 
> tx_saltedpasswords_salts_factory::getSaltingInstance(); echo
> $saltedPassword = 
> $saltedpasswordsInstance->getHashedPassword($password); echo ' ||
> '; $saltedpasswordsInstance = 
> tx_saltedpasswords_salts_factory::getSaltingInstance(); echo
> $saltedPassword = 
> $saltedpasswordsInstance->getHashedPassword($password); echo ' ||
> '; $saltedpasswordsInstance = 
> tx_saltedpasswords_salts_factory::getSaltingInstance(); echo
> $saltedPassword = 
> $saltedpasswordsInstance->getHashedPassword($password); echo ' ||
> '; return $saltedPassword; } ---- Results in
> 
> asdf || $1$JiUaTtX5$gxeLYdT0M/WiA5E3TENA61 || 
> $1$Ns7LPbhO$rgjOQve.ETW0qW0m7rhQU. ||
> $1$9uVyi3MZ$yhsbscIDxwVR4pxYQnCrQ1
> 
> Any idea what I'm doing wrong?
> 
> With best regards Marc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJTRO9hAAoJEIskG/rSlyw4WjgIALAUgFxvYUrGHy9d0G4wwqoS
Dotp4xIuuQ/teUYq2OtdC2QrpB1Ioi1WwhuDmk3Cgi0jZYqVAuFpF8uQHaY6W1ic
KAJQdgyv7SFHRnSJONwGiqH6L5pf4h3vT7mIhfX6Vkl54955OyWPPcAlkvn24Z3/
sVd7MQw/Lq+kn4M8daPFHKxKL0qOoNfzJxa8w7yfiDTOuQnxEJJi7nHW22MAtrQI
qpJtBOjh7jcUMVCJX7bpzO6/No70zjm9m7MhUUtf4Gt5C9TKjZm6+9N6KzFHggKc
t8az3GiSKFxWbz05cjuZUlZNRF8kTTUdzSNwfkluTgqPgP4CIV/kuMHksytxTYk=
=rn8s
-----END PGP SIGNATURE-----


More information about the TYPO3-english mailing list