Hi everyone , this is the first topic in our blog http://loop-hashing.blogspot.com , i will explane a new way that helps you encrypte passwords (or any data) and store it safely in the database , and make sure that noOne is able to crack it , the idea is to encrypte the password using "for example" the md5 function a lot of times with a loop operation .
Introduction :
We all know that hash cracking became more possible and real with the huge databases of Hackers .
let us know how hackers do that and then explane our idea , when a hacker gain access into some database and get MD5 encrypted data he tries to crack it using some tools and databases for that , these tools usually have full databases of plain text password and it's equivalent in MD5 , if your encrypted password has found in the database then you will get the plan text equivalent, if not , it is impossible to crack it , that's it .
How strong is loop-hashing :
Supposing that the probability of finding a plain text of strong encrypted passwords is less than 5%
and it becomes more than 50% when talking about weak passwords , so , with loop hashing it becomes less than 0.1%, absolutely it is tiny enough to make our data safe .
The clear idea :
Loop hashing is based on a random-key generator function , that generates a random number between 20 and a big number , in PHP the biggest number we can use in rand() function is 15817 " rand(20,15817)"
we use the random returned number to encrypte the data using the MD5 with a loop like "for" related to the random number :
for($i=0;$i<$number;$i++)
then we can store our password and the random generated key , we will use this key to encrypte again the user input to compare between the entered password and the stored one in our database .
here's a code of a simple PHP register/login script that uses the loop hashing :
<?php
session_start();
$connection=mysql_connect("localhost","root","password") or die("Could not connect to the SQL server");
mysql_select_db("test");
function generatePass($key,$pass) {
for($i=0;$i<$key;$i++)
{
$pass=md5($pass);
}
return $pass;
}
if(isset($_POST['password']))
{
$mypass=$_POST['password'];
$rd=rand(5,15817);
$newPass=generatePass($rd,$mypass);
$query="INSERT INTO users(password,kw) Values('$newPass',$rd)";
mysql_query($query) or die("AN ERROR HAS BEEN ACCURED AND YOU COULD NOT REGISTER");
}
if(isset($_POST['pass']) && isset($_POST['ID']))
{
$pass=$HTTP_POST_VARS['pass'];
$id=addslashes($HTTP_POST_VARS['ID']);
$query="SELECT password,kw FROM users WHERE id=$id";
$result=mysql_query($query) or die(mysql_error());
$row=mysql_fetch_array($result) or die(mysql_error());
$badPass=generatePass($row[1],$pass);
if($badPass==$row[0]) {
print "Congratulations ! you've been logged in";
} else {
print "Incorrect Password , please try again";
}
}
?>
<html>
<body bgcolor="lightyellow">
<center>
<label>To register type a new password</label><br>
<hr width="25%"><br>
<form method="POST" action='<?php echo"$PHP_SELF?reg=1"; ?>'>
<input type="TEXT" name="password"><br>
<input type="SUBMIT" class="button" value="Register">
</form>
<br><br><br><br>
<label>To login type your password</label>
<hr width="25%"><br>
<form method="POST" action='<?php echo"$PHP_SElF?login=1"; ?>'>
<input type="TEXT" name="ID" value="Enter your ID"><br><br>
<input type="password" name="pass"><br><br>
<input type="SUBMIT" class="button" value="Login">
</form>
Edit the password of the database and create a database nammed "test" contains one table nammed users with 3 columns (id int PRIMARY KEY auto_increment not null , password VARCHAR(32) not null , kw int not null) the key "kw" is the random generated number .
and this is how passwords will look in the database :
you may wonder if i told you that all these MD5 hashs are the equivalents of one password : 123456
and they cannot be cracked even if you know the key "kw" of any password , because simply you cannot crack Hash of a Hash 11107 times , this looks like trying to guess a password contains 200 chars or greater .
until now , this is what loop-hashing is all about , the idea stills under developing , if you have new ideas , something to add or even a question , please let me know , that's it and i hope you enjoyed reading this topic ,
Regards , TheGeekThinker .
