, Please 
0
I never really understood the point of hashing until I started to read some stories about some experiences where hashing prevented their user's password database from being read.
So, first I should sort of explain what hashing is.
Hashing, is a one way algorithm that creates a unique string of text. A common mistake is users referring to hashing as an encryption method. The word encryption implies that there is a method of decryption as well. This is not the case with hashing. Hashing is meant to go one way, and one way only.
Why is this good? A hashed string is unique for each phrase entered, and is constant as long as the exact same text is entered. This is great for passwords because, well, passwords never change! Well, unless, of course, a user changes it, but that's besides the point. So, if my password was "puppydog", then it would appear as dbfff42a90727d02153511a33480572b (using md5). As long as "puppydog" is entered exactly the same, it would always result in dbfff42a90727d02153511a33480572b.
How does one start hashing? Simple.
Let's say you want to take the users entered password (from a previous form), hash it using md5, then store it in a database.
First, you would use an opening php tag.
<?phpThen you would create a variable based on the sent password.
$password = $_POST['password'];Now, the good part, you would create a variable that uses md5 algorithm on the password variable.
$hash = md5($password);See? Extremely simple. Now, of course, you would store the new hashed password into a database, then close the php tag.
mysql_connect("localhost", "admin", "blahblah") or die(mysql_error());
mysql_select_db("users") or die(mysql_error());
mysql_query("INSERT INTO users
(username, password) VALUES('$_POST['username']', '$hash' ) ")
or die(mysql_error());
?>
See? Extremely simple. When a user logs in, all you have to do is compare users, then use the same method of hashing on the password entered at the login form.
Now, uncovering a hashed string isn't impossible. There are two major ways of revealing a hashed string. Brute-Forcing and Rainbow Tables.
Brute-Forcing is trying every combination of characters to find a conflict in a hashed string. Though, even with a basic password, this can take extremely long, but, the outcome is usually correct.
Rainbow Tables are dictionaries of hashed strings. They include the phrase and it's hashed outcome. The user would enter the hashed string into a search form, and submit it. The search then shows the results. Surprisingly, rainbow tables are pretty effective, considering most users passwords are usually pretty basic words.
The easiest way to avoid these is salt. No, pouring table salt on a rainbow table won't make it shrivel up and die. I'm talking about a short, random string that is added to the password before it is hashed. This will effectively avoid the use of Rainbow Tables.
To use a salt, just define it in a variable, and put it in with the $password in the md5() function, as such:
<?php $password = $_POST['password']; $salt = "AKfsa*@"; $hash = md5($password . $salt); ?>The salt in the above code is "AKfsa*@". This was completely random. They don't need to be random at all, either. Just make up your own string. I usually copy a 5 or 7 character combination from a different hash.
It's important you use the same salt upon login. It's basically part of the password.
What about Brute-Forcing? Well, brute-forcing can still work around salts. It will just take longer.
I believe the best way to stop brute-forcing, is by hashing a string multiple times. Sort of like, hashing a hash. Like so:
<?php $password = $_POST['password']; $hash1 = md5($password); $hash2 = md5($hash1); ?>This way, the brute-forcer would have to uncover the first hash, which just reveals another hash, then they would have to reveal this new hash. This extremely lengthens the brute force. A string can be hashed many times, and you can throw a salt in there too. It could take years (literally) for one a brute-force to completely reveal a single password.
That's why I love hashing.
I hope you learned something!
. so thats what the little processes is, because I am a poll script thats an admin page and stupid me always forgot it, so I went to myphpadmin page to look it up there and all I got was that text string. Interestingly enough routers use the same kind of script if you call it that with keys to help improve on the router security.
