1

Follow-up to this question: Strong PHP hashing without salt.

Without entering into the details, using bcrypt without salt/pepper is a bit complex for my case, so I'm staying on a "plain loop" implementation.

In the "version 1" below, I'm simply hashing the sha512 repeatedly, whereas in "version 2" I include the input data in each iteration:

$data = $websiteDomain . $myChildSchool . $myPetName . $etc;

// version 1
$result = $data;
for ($i = 0; $i < 1000000; ++$i) {
    $result = hash('sha512', $result, true);
}

// version 2
$result = '';
for ($i = 0; $i < 1000000; ++$i) {
    $result = hash('sha512', $data . $result, true);
}

$result = str_replace(['/', '+', '='], '', base64_encode($result));
$result = substr($result, 0, $passwordLength);

Is "version 2" more secure?

I'm thinking about stuff like parallelization for "version 1", where the first hash would be normally computed, then the 999,999 remaining hashes of each candidate would be computed using some parallelized processing.

Community
  • 1
Gras Double
  • 153
  • 7
  • 3
    You are inventing your own crypto-soup here. Don't. If you want to do key-stretching, use a well known key-stretching algorithm instead. Search this site for PBKDF2. – Jacco Dec 26 '16 at 14:08
  • I know, I know. But using bcrypt with a defined salt [is a pain](http://security.stackexchange.com/questions/20862/php-crypt-trims-the-salt-as-it-would-be-too-long). I just want a simple code yet practically secure. Here I just want to know if version 2 is more secure than version 1. – Gras Double Dec 27 '16 at 04:20
  • Also, PBKDF2 is basically the same as my "version 2" above. It only adds a XOR, [whose utility isn't granted](http://crypto.stackexchange.com/questions/135/why-does-pbkdf2-xor-the-iterations-of-the-hash-function-together). – Gras Double Dec 27 '16 at 04:52
  • 1
    Related, on crypto.stackexchange.com: [How is it possible to parallelize a hashing function to crack an iteratively hashed password?](http://crypto.stackexchange.com/questions/3993/how-is-it-possible-to-parallelize-a-hashing-function-to-crack-an-iteratively-has) – Gras Double Dec 27 '16 at 15:44
  • Refs another related question: [The logic of preferring PBKDF2 over iterative SHA2](https://crypto.stackexchange.com/questions/60294/the-logic-of-preferring-pbkdf2-over-iterative-sha2) – Gras Double Apr 29 '20 at 05:44

1 Answers1

1

using bcrypt without salt/pepper is a bit complex for my case

Use bcrypt with the cost parameter specified for key stretching, examples in the official doc: http://php.net/manual/en/function.password-hash.php

password_hash("unsalted password", PASSWORD_BCRYPT, ["cost" => $cost]);

Is it more complex? I don't think so.

Side note: all PHP versions where password_hash is supported, have automatic salt generation enabled by default. If not using PHP7, you can specify your own (salt parameter in the array) but I don't see the point of doing so.

Rápli András
  • 2,124
  • 11
  • 24
  • It's for some [specific use case](http://security.stackexchange.com/questions/142659/strong-php-hashing-without-salt), I don't want random salt as I need the hash to be reproducible. And as I mentioned in a comment above, defining a salt [is a pain](http://security.stackexchange.com/questions/20862/php-crypt-trims-the-salt-as-it-would-be-too-long), also it just won't be possible in the future. – Gras Double Dec 28 '16 at 13:24
  • Apparently you misunderstood, by "bcrypt without salt" I don't mean "let the application generate the salt", but "use no salt" (i.e. empty, or constant). – Gras Double Dec 28 '16 at 13:32
  • Okay, I missed your previous topic. bcrypt is not capable of making reproducible hashes without providing the salt. I can't remember another SPL function for key stretching that would fit your needs. – Rápli András Dec 28 '16 at 13:32
  • But if you give up ever migrating to PHP7, you can still use it :) – Rápli András Dec 28 '16 at 13:35