Hello
The hash system used by Harbour is not very efficient and can be hacked. Every time a hash is generated on a key, it generates the same hash which can be hacked using a hash dictionary.
The most convenient thing would be that each time it is executed, it generates a different hash and, using another function, it can be compared to see if it is the same key entered, as is done in PHP.
password_hash
https://www.php.net/manual/en/function.password-hash.php
This function verifies whether the key that generates the hash is the same
password_verify
https://www.php.net/manual/en/function.password-verify.php
With this implementation, the security of the keys in Harbour would be improved.
Good evening
When using password_hash(), the returned value includes the salt as part of the generated hash. This value should be stored as is in the database, as it includes information about the hash function that was used and thus directly provided to password_verify() or crypt() when verifying passwords.
Code PHP
<?php
// Your code here!
echo password_hash("rasmuslerdorf", PASSWORD_DEFAULT)."\n";
echo password_hash("rasmuslerdorf", PASSWORD_DEFAULT)."\n";
echo password_hash("rasmuslerdorf", PASSWORD_DEFAULT)."\n";
echo password_hash("rasmuslerdorf", PASSWORD_DEFAULT)."\n";
echo password_hash("rasmuslerdorf", PASSWORD_DEFAULT)."\n";
?>
Output
$2y$10$efkdoqsodqm69U5Vz9Z5j.W7KmY0o8KdO/fcZJ5pj3Tg1ZJHjFfKy
$2y$10$ckpfhWgK361rZteBDJ4sAu5.SFpb/bZb7KN8AUStzXMd3ZOzjVnpe
$2y$10$yIkEo01XCKxdPQ3THvvSMOqnd8v7ZMgGGkkBy4nH8BUkYHq.AlM3G
$2y$10$YH.ZANzWReHUwe.n9HfR5unz.dBtQw/qKyWnKE.nbLs1Y8CldlL56
$2y$10$a1tgX85qLqnoi4GTwB35huhM0By8Zaz7XfeFj12/7KNN607Bf0Ati
As you can see the first 7 characters are the same, with this code password_verify can generate the same hash.
Attached is a c file of the implementation of password_hash for PHP.
--
You received this message because you are subscribed to the Google Groups "Harbour Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to harbour-deve...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/harbour-devel/e2359681-02f5-48c5-b2bd-b3fc1e420427n%40googlegroups.com.