Jump to content
  • Announcements

    • boen_robot

      Guidelines and Netiquette   03/28/2017

      Posting Problems:   Having problems posting your topic? Read through this: To join, you agree to our terms and conditions and fill out and submit a registration form. An activation email will be sent to your email adress, so you'll need to verify your account. After that the account has to be validated by one of the moderators. This will mean that it can take up to a day to be activated. A couple of things to remember to ensure approval: Don't use an email address in one of those $2 four character .com domains eg. xyds.com. These will be deleted and the domain added to the banned list. Don't use an email address that is within a domain with a bad reputation for spam. A Google search is run on every email address and email domain. Don't sign up with an email address that doesn't exist, doesn't work or requires the sender to answer a quiz before their email can get to you. Put your country and or state and city in the signup form. Blank forms will go to the botton of the "to do" list. And make sure that your email address and your country match, saying you're from Alabama and using a .ru email address is not going to get you activated. After a membership is activated the first few posts will be monitored. Posting spam or unapproved topics described in the agreement results in an immediate ban. The email provider and the IP addresses associated with the account will be banned and all posts will be deleted. These strict measures have been deemed necessary to hinder spam. Sorry for any inconvenience this causes, but it's not liable to change. If, after reading this, you still can't post and don't understand why, contact one of the Moderators listed here.   Topic Guidelines   Including the following information can expedite an accurate response from board members: Must be a Specific Problem or Question related to web design and development Include Code in Question (wrap with   for small blocks of code and for longer blocks   ) Include Code Author Include Extra Notes/Modifications/Attempts Include web link to page/file when possible Content Guidelines   You may not post, upload, link to, or email any Content that contains, promotes, gives instruction about, or provides prohibited Content. Prohibited Content includes any Content that breaks any local, state, county, national or international law. Prohibited Content also includes: No direct or indirect advertising or websites, forums, products, services No hijacking of posts (do not post your question in someone elses) Content that infringes upon any rights [ex. MP3s and ROMs] (including, but not limited to, copyrights and trademarks) Abusive, threatening, defamatory, racist, or obscene Viruses or any other harmful computer software False Information or libel Spam, chain letters, or Pyramid schemes Gambling or Illicit drugs Terrorism Hacking or cheating for internet/online games Warez, Roms, CD-Keys, Cracks, Passwords, or Serial Numbers Pornography, nudity, or sexual material of any kind Excessive profanity Invasive of privacy or impersonation of any person/entity Hacking materials or information Posting Tips   There are more BBcodes than there are buttons for on the reply menu. To get the full list, click "BB Code Help" underneath the clickable smilie face menu. Use   for small snippets of code Use   for lengthy snippets of code Use   if your snippet is HTML (optional) Use   if your snippet is SQL (optional) Rules of Conduct   Be nice. There's no need for calling someone stupid if they ask an 'easy' question. Keep your avatars and signatures absolutely child friendly. We have a younger audience on this forum. Keep your language appropriate for the same reason above. Do not PM moderators for help on the forum. Post on the topic, or create a new one.   Spam:   Recently, as you have all without doubt noticed, we have had lots of spam and advertisement on the forum. Therefore, we'd like to alert you as to what to do when you have found any of the aforementioned annoying messages: it. Immediately. Give a clear reason, please, if the advertising is not evident. DO NOT POST! Report, let the post stay as is, and we will get to it, meanwhile if you continue to post as normal in the other threads, it won't be on the top so long. Refrain from PMing the member. This won't help at all, as they are most likely spambots anyway. Thank you.       Images in signatures:   After thinking of users on dial-up, we have decided to enforce the following rules regarding signatures. Please pay heed to them. Respecting these rules is respecting the members on this forum with dial-up. Signature rules: No animated images AT ALL. No matter the amount of animation. Maximum image widthxheight: 300x150 Maximum image (file) size: 15kb Use calm colors. Do not use highly contrasting images in your signature, as this can get really annoying when seeing several posts from one member in the same thread. The same prohibited content goes for images as for posts. Lastly, use common sense. No lengthy signatures please. Save us some scrolling. Thank you.       Links in signatures:   Please understand that w3schools.com only exists because of voluntary work and is barely supported by the advertising littered throughout the tutorials and the forum. So, please, stop advertising other sites. DO not post links that drive traffic away from the w3schools domain - especially to a site that offers similar if not identical information. Please help support the site by keeping individuals on it. Thank you. Here are some guidelines as to what you can put in your signature: w3schools links --> allowed w3.org links --> allowed browser links --> allowed html editor links --> allowed personal sites --> allowed tutorial sites competing with w3schools --> NOT allowed sites completely irrelevant to webprogramming and this forum --> NOT allowed   Thanks for understanding, and for taking the time to read this. ~W3Schools Modstaff~
Sign in to follow this  
sarciszewski

crypt() is NOT an encryption function

Recommended Posts

I've been fighting an uphill battle with new developers who don't understand the difference between hashing and encryption, and I believe correcting this w3schools article will help dramatically.

 

http://www.w3schools.com/php/func_string_crypt.asp

 

If we want this article to be accurate, every instance where this article refers to crypt() as an encryption feature needs to be rewritten to say "password hashing" (or simply hashing).

 

Despite its name, crypt() is ported from AT&T Unix v6's crypt(3) function, which was meant for one-way password hashing. See: https://www.freebsd.org/cgi/man.cgi?query=crypt%283%29

Edited by sarciszewski

Share this post


Link to post
Share on other sites

You're half right.

 

It's a hashing function and, by extension, a one-way encryption function.

Share this post


Link to post
Share on other sites

Nope. It's a one-way cryptography function, not a one-way encryption function.

 

Encryption is the art of rendering a message unreadable to everyone who does not possess a secret key. Encryption is, by definition, reversible. Hashing is, by definition, one-way.

 

Cryptography doesn't imply encryption, it can mean any of the following:

  • Encryption
    • Block Ciphers
    • Stream Ciphers
    • Elementary ciphers (substitution, transposition, etc.)

    [*]Authentication

    • Hash functions, HMAC, etc.
    • Password hashing functions
    • CMAC, Poly1305, GCM, etc.

    [*]Key Exchange

    • Diffie Hellman, Elliptic Curve Diffie Hellman

    [*]Digital Signatures

    • RSA, DSA, ECDSA, EdDSA

    [*]Public Key Infrastructure[*]Cryptographic Side Channels

    • Padding oracle attacks (RSA-PKCS1, etc.)
    • String comparison timing attacks
    • Cache-timing attacks
    • Fault-based side-channels

...and so much more.

 

There isn't a reputable cryptography engineer alive who would say that EdDSA is an encryption algorithm with a straight face. It's just as incorrect to say that a hash function is a form of encryption too.

Edited by sarciszewski

Share this post


Link to post
Share on other sites

You're right, I don't think anybody would refer to the algorithms used by crypt() as encryption algorithms. I'm quite sure nobody is using crypt() for encryption either, because if they did they'd find out pretty fast that they are not able to retrieve the information they just "encrypted".

 

I see you edited your post, at first I was quite confused as to why you signed up to the W3Schools forum just to tell the world that PHP's crypt() function is not for encryption, you would have access to a lot more people by writing a note on the PHP manual's crypt() page

 

On the W3Schools website, you can scroll to the bottom of the page and click on the "REPORT ERROR" link if you think the content of the page is incorrect.

Share this post


Link to post
Share on other sites

You're right, I don't think anybody would refer to the algorithms used by crypt() as encryption algorithms. I'm quite sure nobody is using crypt() for encryption either, because if they did they'd find out pretty fast that they are not able to retrieve the information they just "encrypted".

 

I see you edited your post, at first I was quite confused as to why you signed up to the W3Schools forum just to tell the world that PHP's crypt() function is not for encryption, you would have access to a lot more people by writing a note on the PHP manual's crypt() page

 

On the W3Schools website, you can scroll to the bottom of the page and click on the "REPORT ERROR" link if you think the content of the page is incorrect.

My edit pertained to the origins of crypt(3), my computer history isn't great ;)

 

From the PHP manual page:

 

crypt() will return a hashed string using the standard Unix DES-based algorithm or alternative algorithms that may be available on the system.

 

Their terminology is correct, actually. It's just w3schools that muddies the water between new developers and understanding this particular nuance of cryptography. Don't feel bad, though, I just spent the past few months cleaning up a lot of the PHP questions and answers on Stack Overflow.

 

My employer offers B2B technology consulting, but we also care very much about moving the needle towards other developers being secure by default, both in terms of their tools and frameworks but also in terms of the habits they adopt. Even if teaching other developers to write better and more secure code doesn't have a positive ROI for us.

 

A lot of programmers seem to learn from w3schools when they're first starting out. That's why I'm even bringing this up at all rather than letting sleeping dogs lie.

 

I hope these corrections are not taken as a sign of disrespect; few people have the knowledge or years of experience to understand the nuance of cryptology and, while I don't hold not understanding these details against anyone, I'm trying to make better knowledge more common.

Edited by sarciszewski

Share this post


Link to post
Share on other sites

I'm not part of the W3Schools staff, I just manage the forums, I have no responsibility or control over the website.

Share this post


Link to post
Share on other sites

I'm not part of the W3Schools staff, I just manage the forums, I have no responsibility or control over the website.

Understood. I've reported an error on the page and referenced this topic. I originally did not see this link (thank you for informing me about it), I will be sure to make use of it.

 

Do any of the W3Schools staff frequent the forums? Would posting here be a good way to engage both the community as well as the administration, or is there a better strategy I should pursue?

 

Maybe these aren't easy questions to answer, but any insight you have to offer as a moderator would be invaluable for plotting the course ahead.

Share this post


Link to post
Share on other sites

Encryption is, by definition, reversible. Hashing is, by definition, one-way.

This is true. Encryption implies decryption, if you can't decrypt then it's not encryption.

Do any of the W3Schools staff frequent the forums?

If they do, they don't post or anything. Kaijim has an account here though, I suppose you could send him a private message. For what it's worth, I was once contacted by the team lead for IE about changing some information prior to the release of a new version of IE (so that the information on the site would be accurate at the time of launch), and I sent private messages, emails, and even found the people on Facebook and sent messages through that. I didn't get a response, but hopefully they got the site updated. The people who run the site aren't very active with the community here.

Share this post


Link to post
Share on other sites

This is true. Encryption implies decryption, if you can't decrypt then it's not encryption.If they do, they don't post or anything. Kaijim has an account here though, I suppose you could send him a private message. For what it's worth, I was once contacted by the team lead for IE about changing some information prior to the release of a new version of IE (so that the information on the site would be accurate at the time of launch), and I sent private messages, emails, and even found the people on Facebook and sent messages through that. I didn't get a response, but hopefully they got the site updated. The people who run the site aren't very active with the community here.

This is disheartening. I wonder if the folks at w3fools would enjoy this infromation more (assuming they haven't already listed it as a grievance)?

 

At the very least, they'd probably act on it if I informed them of it.

Edited by sarciszewski

Share this post


Link to post
Share on other sites

I notice them updating their website frequently, so while they're not very communicative they do seem to listen to suggestions.

Share this post


Link to post
Share on other sites

I notice them updating their website frequently, so while they're not very communicative they do seem to listen to suggestions.

Interesting. On one hand, you say they seem to listen to suggestions.

 

But on balance, they generally ignore the community and so far have not addressed the inaccuracies I brought to their attention.

 

At this point I'm not sure if I would be wasting my time trying to improve their documentation.

Share this post


Link to post
Share on other sites

To be fair, your post is 4 days old and in the PHP forum.

 

I think the point Ingolme was trying to make is that for those posts made in the Suggestions forum (which is specially for making suggestions for the W3Schools.com site) the site maintainers tend to implement them, albeit while not actually making a post or comment to that affect.

Share this post


Link to post
Share on other sites

To be fair, your post is 4 days old and in the PHP forum.

 

I think the point Ingolme was trying to make is that for those posts made in the Suggestions forum (which is specially for making suggestions for the W3Schools.com site) the site maintainers tend to implement them, albeit while not actually making a post or comment to that affect.

I've also emailed them and used the form at the bottom of the page. There's no way they haven't been informed by now.

Share this post


Link to post
Share on other sites

Fair enough, so either they will or they won't at this point I suppose. You're post is very educational, so hopefully at least some of the forum members here will be able to make use of it.

  • Like 1

Share this post


Link to post
Share on other sites

Fair enough, so either they will or they won't at this point I suppose. You're post is very educational, so hopefully at least some of the forum members here will be able to make use of it.

I'm not sure that's much comfort. Most people link to the w3schools website and not the forum, so I'd wager (heuristically) that more people read the misinformative PHP documentation than the forums where people point out inaccuracies that Refsnes Data ignores.

Share this post


Link to post
Share on other sites

Lol, i use Crypt() on my websites? However i use that one amongst with SHA1, MD5 and 4-5 different custom-made salt functions that will randomly throw the letters and numbers and signs around to make sure they are very well shaken and ready to be used as an password. Also known to be "Encrypted" ;).... still working on it tho, but working at the moment perfectly fine :)

Share this post


Link to post
Share on other sites

An encrypted message is one that can be decrypted, you can find that in the dictionary or encyclopedia.

 

I would not recommend SHA-1 or MD5 for password hashing. The execution time of those algorithms is too short.

Share this post


Link to post
Share on other sites

Lol, i use Crypt() on my websites? However i use that one amongst with SHA1, MD5 and 4-5 different custom-made salt functions that will randomly throw the letters and numbers and signs around to make sure they are very well shaken and ready to be used as an password. Also known to be "Encrypted" ;).... still working on it tho, but working at the moment perfectly fine :)

Using cypt() is at best suboptimal. You're better off using password_hash() and password_verify().

 

"However i use that one amongst with SHA1, MD5 and 4-5 different custom-made salt functions that will randomly throw the letters and numbers and signs around to make sure they are very well shaken and ready to be used as an password"

 

Have you never heard the words "don't roll your own crypto" before? This is a bad idea!

Share this post


Link to post
Share on other sites

Seriously, what's wrong with using password_hash? Do you know more about cryptography than the people who put together the password extension for PHP? Is password security really the thing that you want to go custom on?

Share this post


Link to post
Share on other sites

I dont know, i am using _hash and functions like that also. I am just adding "more" to the password line, you could call it a random shake of already very well protected and encrypted password makers. I am just rolling the dice so it is even more protected. Like i said, i dont use one, i use ALOT of different encryption methods, that is what i ment anyways in case you misinterpated what i said Oo? So it is not "all" custom made, just added a few things to some PHP encryption methods that was pre-added in the beginning ^^...

Share this post


Link to post
Share on other sites

Like i said, i dont use one, i use ALOT of different encryption methods, that is what i ment anyways in case you misinterpated what i said Oo?

This is partly a terminology problem. I doubt very much that you are using any encryption at all. You are using hashing. Like we've talked about in this thread, they are not the same thing. Passwords are almost never encrypted, they are hashed typically with a salt. If you cannot reverse it to get the original plain text then it is not encryption. Algorithms like MD5 and the SHA family are not encryption. They are part of cryptography in general, but they are not encryption, they are one-way hashing algorithms. If you talk about hashing but use the term encryption it marks you as someone who might not know what they're talking about, because people who know the difference don't use "encryption" and "hashing" interchangeably.As far as the password_hash function goes, it's not necessary to add anything extra, in fact adding additional hashing may break some of the features of password_hash (like automatically verifying and updating as necessary). There's a good writeup here that mentions some of the benefits:http://jeremykendall.net/2014/01/04/php-password-hashing-a-dead-simple-implementation/One of the benefits is the fact that you can define a cost. That means that you can specify that you want the server to use, for example, a quarter of a second to calculate the hash. In that case it will hash over and over using a secure salt as many times as it takes according to the cost. If your password hashes take .25 seconds to calculate then it increases the time required to brute-force a specific password (by a lot). Now instead of calculating hundreds or thousands of hashes per second, an attacker can only calculate 4, more or less depending on their hardware.This is why I'm telling you just to use password_hash, read about how it works if you want. The people who designed that did so after more than a decade of experience using PHP to store passwords, and the people who implemented it probably know more about practical cryptography than either you or I ever will. They brought in best practices (random salts, cost, etc) that have been worked out over years and years of storing passwords, not even just by PHP.
  • Like 1

Share this post


Link to post
Share on other sites

If it helps to shed some light on the different terms and concepts involved in cryptography, we did publish a blog post explaining this in detail.

 

https://paragonie.com/blog/2015/08/you-wouldnt-base64-a-password-cryptography-decoded

Share this post


Link to post
Share on other sites

okay i know it's been a while, but thanks lol hehe, just seen this today "2 years from now", lol haha xD

Share this post


Link to post
Share on other sites

I would like to see W3Schools provide an example of a proper login system in their Php example code area.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×