sarciszewski Posted August 1, 2015 Share Posted August 1, 2015 (edited) I've been fighting an uphill battle with new developers who don't understand the difference between hashing and encryption, and I believe correcting this w3schools article will help dramatically. http://www.w3schools.com/php/func_string_crypt.asp If we want this article to be accurate, every instance where this article refers to crypt() as an encryption feature needs to be rewritten to say "password hashing" (or simply hashing). Despite its name, crypt() is ported from AT&T Unix v6's crypt(3) function, which was meant for one-way password hashing. See: https://www.freebsd.org/cgi/man.cgi?query=crypt%283%29 Edited August 2, 2015 by sarciszewski Link to comment Share on other sites More sharing options...
Ingolme Posted August 1, 2015 Share Posted August 1, 2015 You're half right. It's a hashing function and, by extension, a one-way encryption function. Link to comment Share on other sites More sharing options...
sarciszewski Posted August 2, 2015 Author Share Posted August 2, 2015 (edited) Nope. It's a one-way cryptography function, not a one-way encryption function. Encryption is the art of rendering a message unreadable to everyone who does not possess a secret key. Encryption is, by definition, reversible. Hashing is, by definition, one-way. Cryptography doesn't imply encryption, it can mean any of the following: EncryptionBlock Ciphers Stream Ciphers Elementary ciphers (substitution, transposition, etc.) [*]Authentication Hash functions, HMAC, etc. Password hashing functions CMAC, Poly1305, GCM, etc. [*]Key Exchange Diffie Hellman, Elliptic Curve Diffie Hellman[*]Digital Signatures RSA, DSA, ECDSA, EdDSA[*]Public Key Infrastructure[*]Cryptographic Side Channels Padding oracle attacks (RSA-PKCS1, etc.) String comparison timing attacks Cache-timing attacks Fault-based side-channels ...and so much more. There isn't a reputable cryptography engineer alive who would say that EdDSA is an encryption algorithm with a straight face. It's just as incorrect to say that a hash function is a form of encryption too. Edited August 2, 2015 by sarciszewski Link to comment Share on other sites More sharing options...
Ingolme Posted August 2, 2015 Share Posted August 2, 2015 You're right, I don't think anybody would refer to the algorithms used by crypt() as encryption algorithms. I'm quite sure nobody is using crypt() for encryption either, because if they did they'd find out pretty fast that they are not able to retrieve the information they just "encrypted". I see you edited your post, at first I was quite confused as to why you signed up to the W3Schools forum just to tell the world that PHP's crypt() function is not for encryption, you would have access to a lot more people by writing a note on the PHP manual's crypt() page On the W3Schools website, you can scroll to the bottom of the page and click on the "REPORT ERROR" link if you think the content of the page is incorrect. Link to comment Share on other sites More sharing options...
sarciszewski Posted August 2, 2015 Author Share Posted August 2, 2015 (edited) You're right, I don't think anybody would refer to the algorithms used by crypt() as encryption algorithms. I'm quite sure nobody is using crypt() for encryption either, because if they did they'd find out pretty fast that they are not able to retrieve the information they just "encrypted". I see you edited your post, at first I was quite confused as to why you signed up to the W3Schools forum just to tell the world that PHP's crypt() function is not for encryption, you would have access to a lot more people by writing a note on the PHP manual's crypt() page On the W3Schools website, you can scroll to the bottom of the page and click on the "REPORT ERROR" link if you think the content of the page is incorrect. My edit pertained to the origins of crypt(3), my computer history isn't great From the PHP manual page: crypt() will return a hashed string using the standard Unix DES-based algorithm or alternative algorithms that may be available on the system. Their terminology is correct, actually. It's just w3schools that muddies the water between new developers and understanding this particular nuance of cryptography. Don't feel bad, though, I just spent the past few months cleaning up a lot of the PHP questions and answers on Stack Overflow. My employer offers B2B technology consulting, but we also care very much about moving the needle towards other developers being secure by default, both in terms of their tools and frameworks but also in terms of the habits they adopt. Even if teaching other developers to write better and more secure code doesn't have a positive ROI for us. A lot of programmers seem to learn from w3schools when they're first starting out. That's why I'm even bringing this up at all rather than letting sleeping dogs lie. I hope these corrections are not taken as a sign of disrespect; few people have the knowledge or years of experience to understand the nuance of cryptology and, while I don't hold not understanding these details against anyone, I'm trying to make better knowledge more common. Edited August 2, 2015 by sarciszewski Link to comment Share on other sites More sharing options...
Ingolme Posted August 2, 2015 Share Posted August 2, 2015 I'm not part of the W3Schools staff, I just manage the forums, I have no responsibility or control over the website. Link to comment Share on other sites More sharing options...
sarciszewski Posted August 2, 2015 Author Share Posted August 2, 2015 I'm not part of the W3Schools staff, I just manage the forums, I have no responsibility or control over the website. Understood. I've reported an error on the page and referenced this topic. I originally did not see this link (thank you for informing me about it), I will be sure to make use of it. Do any of the W3Schools staff frequent the forums? Would posting here be a good way to engage both the community as well as the administration, or is there a better strategy I should pursue? Maybe these aren't easy questions to answer, but any insight you have to offer as a moderator would be invaluable for plotting the course ahead. Link to comment Share on other sites More sharing options...
justsomeguy Posted August 3, 2015 Share Posted August 3, 2015 Encryption is, by definition, reversible. Hashing is, by definition, one-way.This is true. Encryption implies decryption, if you can't decrypt then it's not encryption.Do any of the W3Schools staff frequent the forums?If they do, they don't post or anything. Kaijim has an account here though, I suppose you could send him a private message. For what it's worth, I was once contacted by the team lead for IE about changing some information prior to the release of a new version of IE (so that the information on the site would be accurate at the time of launch), and I sent private messages, emails, and even found the people on Facebook and sent messages through that. I didn't get a response, but hopefully they got the site updated. The people who run the site aren't very active with the community here. Link to comment Share on other sites More sharing options...
sarciszewski Posted August 4, 2015 Author Share Posted August 4, 2015 (edited) This is true. Encryption implies decryption, if you can't decrypt then it's not encryption.If they do, they don't post or anything. Kaijim has an account here though, I suppose you could send him a private message. For what it's worth, I was once contacted by the team lead for IE about changing some information prior to the release of a new version of IE (so that the information on the site would be accurate at the time of launch), and I sent private messages, emails, and even found the people on Facebook and sent messages through that. I didn't get a response, but hopefully they got the site updated. The people who run the site aren't very active with the community here. This is disheartening. I wonder if the folks at w3fools would enjoy this infromation more (assuming they haven't already listed it as a grievance)? At the very least, they'd probably act on it if I informed them of it. Edited August 4, 2015 by sarciszewski Link to comment Share on other sites More sharing options...
Ingolme Posted August 4, 2015 Share Posted August 4, 2015 I notice them updating their website frequently, so while they're not very communicative they do seem to listen to suggestions. Link to comment Share on other sites More sharing options...
sarciszewski Posted August 5, 2015 Author Share Posted August 5, 2015 I notice them updating their website frequently, so while they're not very communicative they do seem to listen to suggestions. Interesting. On one hand, you say they seem to listen to suggestions. But on balance, they generally ignore the community and so far have not addressed the inaccuracies I brought to their attention. At this point I'm not sure if I would be wasting my time trying to improve their documentation. Link to comment Share on other sites More sharing options...
thescientist Posted August 5, 2015 Share Posted August 5, 2015 To be fair, your post is 4 days old and in the PHP forum. I think the point Ingolme was trying to make is that for those posts made in the Suggestions forum (which is specially for making suggestions for the W3Schools.com site) the site maintainers tend to implement them, albeit while not actually making a post or comment to that affect. Link to comment Share on other sites More sharing options...
justsomeguy Posted August 5, 2015 Share Posted August 5, 2015 I've moved the thread. Link to comment Share on other sites More sharing options...
sarciszewski Posted August 5, 2015 Author Share Posted August 5, 2015 To be fair, your post is 4 days old and in the PHP forum. I think the point Ingolme was trying to make is that for those posts made in the Suggestions forum (which is specially for making suggestions for the W3Schools.com site) the site maintainers tend to implement them, albeit while not actually making a post or comment to that affect. I've also emailed them and used the form at the bottom of the page. There's no way they haven't been informed by now. Link to comment Share on other sites More sharing options...
thescientist Posted August 5, 2015 Share Posted August 5, 2015 Fair enough, so either they will or they won't at this point I suppose. You're post is very educational, so hopefully at least some of the forum members here will be able to make use of it. 1 Link to comment Share on other sites More sharing options...
sarciszewski Posted August 15, 2015 Author Share Posted August 15, 2015 Fair enough, so either they will or they won't at this point I suppose. You're post is very educational, so hopefully at least some of the forum members here will be able to make use of it. I'm not sure that's much comfort. Most people link to the w3schools website and not the forum, so I'd wager (heuristically) that more people read the misinformative PHP documentation than the forums where people point out inaccuracies that Refsnes Data ignores. Link to comment Share on other sites More sharing options...
rootKID Posted August 15, 2015 Share Posted August 15, 2015 Lol, i use Crypt() on my websites? However i use that one amongst with SHA1, MD5 and 4-5 different custom-made salt functions that will randomly throw the letters and numbers and signs around to make sure they are very well shaken and ready to be used as an password. Also known to be "Encrypted" .... still working on it tho, but working at the moment perfectly fine Link to comment Share on other sites More sharing options...
Ingolme Posted August 15, 2015 Share Posted August 15, 2015 An encrypted message is one that can be decrypted, you can find that in the dictionary or encyclopedia. I would not recommend SHA-1 or MD5 for password hashing. The execution time of those algorithms is too short. Link to comment Share on other sites More sharing options...
sarciszewski Posted August 16, 2015 Author Share Posted August 16, 2015 Lol, i use Crypt() on my websites? However i use that one amongst with SHA1, MD5 and 4-5 different custom-made salt functions that will randomly throw the letters and numbers and signs around to make sure they are very well shaken and ready to be used as an password. Also known to be "Encrypted" .... still working on it tho, but working at the moment perfectly fine Using cypt() is at best suboptimal. You're better off using password_hash() and password_verify(). "However i use that one amongst with SHA1, MD5 and 4-5 different custom-made salt functions that will randomly throw the letters and numbers and signs around to make sure they are very well shaken and ready to be used as an password" Have you never heard the words "don't roll your own crypto" before? This is a bad idea! Link to comment Share on other sites More sharing options...
justsomeguy Posted August 17, 2015 Share Posted August 17, 2015 Seriously, what's wrong with using password_hash? Do you know more about cryptography than the people who put together the password extension for PHP? Is password security really the thing that you want to go custom on? Link to comment Share on other sites More sharing options...
rootKID Posted August 18, 2015 Share Posted August 18, 2015 I dont know, i am using _hash and functions like that also. I am just adding "more" to the password line, you could call it a random shake of already very well protected and encrypted password makers. I am just rolling the dice so it is even more protected. Like i said, i dont use one, i use ALOT of different encryption methods, that is what i ment anyways in case you misinterpated what i said Oo? So it is not "all" custom made, just added a few things to some PHP encryption methods that was pre-added in the beginning ^^... Link to comment Share on other sites More sharing options...
justsomeguy Posted August 18, 2015 Share Posted August 18, 2015 Like i said, i dont use one, i use ALOT of different encryption methods, that is what i ment anyways in case you misinterpated what i said Oo?This is partly a terminology problem. I doubt very much that you are using any encryption at all. You are using hashing. Like we've talked about in this thread, they are not the same thing. Passwords are almost never encrypted, they are hashed typically with a salt. If you cannot reverse it to get the original plain text then it is not encryption. Algorithms like MD5 and the SHA family are not encryption. They are part of cryptography in general, but they are not encryption, they are one-way hashing algorithms. If you talk about hashing but use the term encryption it marks you as someone who might not know what they're talking about, because people who know the difference don't use "encryption" and "hashing" interchangeably.As far as the password_hash function goes, it's not necessary to add anything extra, in fact adding additional hashing may break some of the features of password_hash (like automatically verifying and updating as necessary). There's a good writeup here that mentions some of the benefits:http://jeremykendall.net/2014/01/04/php-password-hashing-a-dead-simple-implementation/One of the benefits is the fact that you can define a cost. That means that you can specify that you want the server to use, for example, a quarter of a second to calculate the hash. In that case it will hash over and over using a secure salt as many times as it takes according to the cost. If your password hashes take .25 seconds to calculate then it increases the time required to brute-force a specific password (by a lot). Now instead of calculating hundreds or thousands of hashes per second, an attacker can only calculate 4, more or less depending on their hardware.This is why I'm telling you just to use password_hash, read about how it works if you want. The people who designed that did so after more than a decade of experience using PHP to store passwords, and the people who implemented it probably know more about practical cryptography than either you or I ever will. They brought in best practices (random salts, cost, etc) that have been worked out over years and years of storing passwords, not even just by PHP. 1 Link to comment Share on other sites More sharing options...
sarciszewski Posted August 19, 2015 Author Share Posted August 19, 2015 If it helps to shed some light on the different terms and concepts involved in cryptography, we did publish a blog post explaining this in detail. https://paragonie.com/blog/2015/08/you-wouldnt-base64-a-password-cryptography-decoded Link to comment Share on other sites More sharing options...
rootKID Posted February 25, 2017 Share Posted February 25, 2017 okay i know it's been a while, but thanks lol hehe, just seen this today "2 years from now", lol haha Link to comment Share on other sites More sharing options...
davej Posted February 25, 2017 Share Posted February 25, 2017 I would like to see W3Schools provide an example of a proper login system in their Php example code area. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now