Hide your hash function


So you are tasked with creating an open source password authentication system but you want to reveal as little about the implementation of the hash function as possible. Can you write a function that takes in a password string and a salt string and outputs a salted hash string without revealing the hashing function?

End date: 6th of July

Popularity contest: So whoever is voted as hardest to figure out the hashing method.

Restriction: Must use an accepted as secure hashing function

ford prefect

Posted 2014-06-24T15:30:36.003

Reputation: 125

What do you mean "without revealing the salt"? So you mean that the salt should be static and hard-coded, or that it should be dynamic - in which case you'd get a different response every time you called the function – James_pic – 2014-06-24T15:55:37.447

6This question makes no sense. The salt should be an input. – Peter Taylor – 2014-06-24T15:55:41.443

@PeterTaylor Didn't think about that correctly. Yeah the salt string is an input – ford prefect – 2014-06-24T17:32:55.937

"without revealing" is this a [tag:obfuscation] (make code as unreadable as possible) or [tag:underhanded] (make code look as if it does something else)? – None – 2014-06-24T19:22:45.257

@professorfish obfuscation (for security)... I thought this would be an interesting question. I am new to golfing – ford prefect – 2014-06-24T19:24:12.513

2@inquisitiveIdiot Security through obscurity? I'm sure that'll work out just great... – ɐɔıʇǝɥʇuʎs – 2014-06-24T19:25:12.393

@ɐɔıʇǝɥʇuʎs if you're gonna open source an authentication then your security is limited either way – ford prefect – 2014-06-24T19:25:56.847

Because the salt is an input, it is not hidden. I suggest to delete the requirements about hiding the salt. Delete "either the salt or". Then in "figure out the hashing method and salt", delete "and salt". – kernigh – 2014-06-24T19:58:39.367

@kernigh fair point – ford prefect – 2014-06-24T20:14:05.390

1@inquisitiveIdiot I disagree on your open source standpoint; making something like RSA public only makes it more secure as the public can scrutinize it – qwr – 2014-06-25T09:30:37.823

None of the functions mentioned in answers so far are secure password hashing functions. Secure password hashing functions must be slow.

– Gilles 'SO- stop being evil' – 2014-08-26T18:01:17.353

The assertions that “if you're gonna open source an authentication then your security is limited either way” and “obfuscation (for security)” are utterly ludicrous. All you'd be hiding is your incompetence, and it's easily revealed (and so are your users' passwords). – Gilles 'SO- stop being evil' – 2014-08-26T18:02:52.893



Python 3

Uninspired solution - hide your hash function with hash-looking code

import base64

a = b'66726F6D20686173686C696220696D706F72742A3B7072696E74287368613235'
b = b'3628627974657328696E70757428292B696E70757428292C277574662D382729'
c = b'292E686578646967657374282929232048656C6C6F2074686572652021402324'



Posted 2014-06-24T15:30:36.003

Reputation: 8 929

That's not a hash function - that's just base 16. – sdamashek – 2014-06-25T02:05:49.807

@sdamashek it must be hidden too well... that's actually sha256. – primo – 2014-06-25T03:34:18.357

@primo oops, I didn't actually check the decoded result. :P – sdamashek – 2014-06-26T04:28:05.767

SHA-256 is a secure hash function, but not a secure password hash function.

– Gilles 'SO- stop being evil' – 2014-08-26T18:05:12.093



Need a way to obfuscate your choice of hashing function? Why not use a hashing function?

require 'digest'

three_card_monte = %w[SHA1 MD5 RMD160]

part1, part2 = three_card_monte.repeated_permutation(2).find{|x,y|Digest(x).base64digest(y)[/tada!?/i]}

part2.send( ('mode'..$&).find{|x|Digest(part1).base64digest(x)[/\d\dSXQ/]}<<$&.to_i.chr)

puts Digest(part2).base64digest(gets+gets)


Posted 2014-06-24T15:30:36.003

Reputation: 20 600

None of SHA-1, MD5 or MD-160 are secure password hash functions.

– Gilles 'SO- stop being evil' – 2014-08-26T18:05:52.087



This one is not a hashing function, takes no salt, and is completely insecure, but can you tell what it is?

def f(x):
    if not (97<=a<=122 or 65<=a<=90):return x
    if (65<=a<=90 and b>90) or b>122: b-=26
    return chr(b)
print(''.join(f(i) for i in input()))

It's rot13

Here is an actual hashing function.

import hashlib
salt = b'cHJpbnQoaGFzaGxpYi5zaGEyNTYoYnl0ZXMoaW5wdXQoKStpbnB1dCgpLCd1dGYtOCcpKS5oZXhkaWdlc3QoKSkKZXhpdCgp';import base64;exec(base64.b64decode(salt))
print(hashlib.md5(bytes(input(), 'utf-8') + salt).hexdigest())

Note that it is not md5 and it does not use a hard coded salt. Based on qwr's solution.

Ian D. Scott

Posted 2014-06-24T15:30:36.003

Reputation: 1 841

SHA-256 is a secure hash function, but not a secure password hash function.

– Gilles 'SO- stop being evil' – 2014-08-26T18:06:41.413