tags:

views:

125

answers:

5

I mean, crypt()'s return is always different. So how do websites like 4chan do to give a permanent tripcode to a password? Are they stored in a database?

A: 

Yes password are stored in a database but without the use of crypt(). They use sha1() or encryption database function like AES_ENCRYPT() in mysql.

Stephnae Reuille
If you're using a repeatable one-way crypographic hashing function, why would you bother storing it in a database? Unless you have specific evidence, I think you're wrong.
Gian
And how can you get aIFnq+n2flzk with these?
sexyprout
+2  A: 

4chan's tripcodes are created using a specific formula, and are a shorter version of a hash. You can achieve the same effect by using MD5 or SHA1.

Encrypt string to MD5 (PHP):

$md5 = md5("$string");

Encrypt string to SHA1 (PHP):

$sha1 = sha1("$string");

There is no way to reverse the hashing process (just like tripcodes), but with time and power they can be "bruteforced" back to plain text.

esqew
Minor niggle: Tripcodes aren't "a shorter version of a hash", they are a legitimate hash, although maybe not a commonly used or very strong one.
Mike Daniels
And how can you get aIFnq+n2flzk with MD5 or SHA-1?
sexyprout
By base64 encoding it
Jherico
+1  A: 

It's quite common to salt a password, then hash it using DES, MD5, SHA, or newer hashes. The salt is then stored as part of the password.

PHP's crypt works this way, although the exact algorithm it uses to hash the password may be different between versions of PHP... and even between operating systems, although the latter supposedly changed in PHP 5.3. (PHP now includes its own hashing library instead of relying on the OS library, which is really, really important if you're using Windows, as crypt function on Windows only supported DES with 2-byte salt prior to this)

Edit:
Note: crypt has an optional second argument. Passing the encrypted password as the second argument will usually get PHP to detect the salt and algorithm used to originally hash the password, namely because everything other than DES start with $#$ where # is a number.

R. Bemrose
What is the point of letting `crypt()` generate a random salt to use then? Wouldn't the hash it provides be useless unless you know the salt used?
Lèse majesté
@Lèse: Ideally, you want a random salt when the password is first created, but you need to know said salt when comparing user input to the password. Which is why the salt is stored along with the hashed password.
R. Bemrose
Ah, I didn't realize that the hash returned by the standard `crypt()` algorithm is actually a salt + hash--hence why I was confused why this works: `$foo = crypt($password); if (crypt($password2, $foo) == $foo) echo "access granted.";` But I'm guessing that won't work if you use a different algorithm.
Lèse majesté
@Lèse: Yup. The salt is stored at the beginning, and is two characters for DES or an algorithm identifier, then the salt, then `$`. crypt MD5, for instance, has a salt `$1$SaltHere$`, whereas SHA-256 uses `$5$SaltHere$`... although I'm not sure what length salt the latter uses.
R. Bemrose
A: 

Wikipedia has an article about Tripcodes.

R. Bemrose
Exactly, and it's said that you must use crypt(). But crypt()'s return is always different, as I said.
sexyprout
@sexyprout: You pass the salt to crypt as the second argument. This causes the output to use that salt instead of generating one on the fly.
R. Bemrose
@sexyprout: Forgot to mention, the salt being randomly generated is why `crypt("something")` returns different results each time. If I run `crypt("something", "ab")`, it'll be identical every time. I don't have PHP here to check what the value is, though.
R. Bemrose
Yes, I tried this, but the results are still differents.PS: I'm running Ubuntu 10.04.
sexyprout
`abP7OZ21Igc8k` according to a JavaScript DES crypt program.
R. Bemrose
Wait a minute. I was using uniqid() to generate salt. What an idiot! It's all my fault, sorry! It's resolved.
sexyprout
A: 

I think there's a table "tripcodes" where tripcodes were generated with the Wikipedia's and they are associated with strings they come from, no?

sexyprout