I mean, crypt()'s return is always different. So how do websites like 4chan do to give a permanent tripcode to a password? Are they stored in a database?
A:
Yes password are stored in a database but without the use of crypt(). They use sha1() or encryption database function like AES_ENCRYPT() in mysql.
Stephnae Reuille
2010-07-30 19:22:52
If you're using a repeatable one-way crypographic hashing function, why would you bother storing it in a database? Unless you have specific evidence, I think you're wrong.
Gian
2010-07-30 19:31:33
And how can you get aIFnq+n2flzk with these?
sexyprout
2010-07-30 19:45:11
+2
A:
4chan's tripcodes are created using a specific formula, and are a shorter version of a hash. You can achieve the same effect by using MD5 or SHA1.
Encrypt string to MD5 (PHP):
$md5 = md5("$string");
Encrypt string to SHA1 (PHP):
$sha1 = sha1("$string");
There is no way to reverse the hashing process (just like tripcodes), but with time and power they can be "bruteforced" back to plain text.
esqew
2010-07-30 19:26:05
Minor niggle: Tripcodes aren't "a shorter version of a hash", they are a legitimate hash, although maybe not a commonly used or very strong one.
Mike Daniels
2010-07-30 19:37:08
+1
A:
It's quite common to salt a password, then hash it using DES, MD5, SHA, or newer hashes. The salt is then stored as part of the password.
PHP's crypt works this way, although the exact algorithm it uses to hash the password may be different between versions of PHP... and even between operating systems, although the latter supposedly changed in PHP 5.3. (PHP now includes its own hashing library instead of relying on the OS library, which is really, really important if you're using Windows, as crypt function on Windows only supported DES with 2-byte salt prior to this)
Edit:
Note: crypt has an optional second argument. Passing the encrypted password as the second argument will usually get PHP to detect the salt and algorithm used to originally hash the password, namely because everything other than DES start with $#$ where # is a number.
R. Bemrose
2010-07-30 19:34:30
What is the point of letting `crypt()` generate a random salt to use then? Wouldn't the hash it provides be useless unless you know the salt used?
Lèse majesté
2010-07-30 19:46:43
@Lèse: Ideally, you want a random salt when the password is first created, but you need to know said salt when comparing user input to the password. Which is why the salt is stored along with the hashed password.
R. Bemrose
2010-07-30 19:51:54
Ah, I didn't realize that the hash returned by the standard `crypt()` algorithm is actually a salt + hash--hence why I was confused why this works: `$foo = crypt($password); if (crypt($password2, $foo) == $foo) echo "access granted.";` But I'm guessing that won't work if you use a different algorithm.
Lèse majesté
2010-07-30 21:54:28
@Lèse: Yup. The salt is stored at the beginning, and is two characters for DES or an algorithm identifier, then the salt, then `$`. crypt MD5, for instance, has a salt `$1$SaltHere$`, whereas SHA-256 uses `$5$SaltHere$`... although I'm not sure what length salt the latter uses.
R. Bemrose
2010-07-31 03:57:37
Exactly, and it's said that you must use crypt(). But crypt()'s return is always different, as I said.
sexyprout
2010-07-30 19:47:30
@sexyprout: You pass the salt to crypt as the second argument. This causes the output to use that salt instead of generating one on the fly.
R. Bemrose
2010-07-30 19:49:08
@sexyprout: Forgot to mention, the salt being randomly generated is why `crypt("something")` returns different results each time. If I run `crypt("something", "ab")`, it'll be identical every time. I don't have PHP here to check what the value is, though.
R. Bemrose
2010-07-30 19:55:43
Yes, I tried this, but the results are still differents.PS: I'm running Ubuntu 10.04.
sexyprout
2010-07-30 19:57:39
Wait a minute. I was using uniqid() to generate salt. What an idiot! It's all my fault, sorry! It's resolved.
sexyprout
2010-07-30 20:01:00
A:
I think there's a table "tripcodes" where tripcodes were generated with the Wikipedia's and they are associated with strings they come from, no?
sexyprout
2010-07-30 19:51:38