Results 1 to 9 of 9

Thread: Seeking extremely easily non secure pwd hash

  1. #1
    Member
    Join Date
    Sep 2007
    Location
    Denmark
    Posts
    856
    Thanks
    45
    Thanked 104 Times in 82 Posts

    Seeking extremely easily non secure pwd hash

    I'm not much of a programmer so I'm seeking and extremely easy pwd hash method.
    I have to do it myself with very basic operator or use a standard windows DLL call

    It doesn't have to be super secure it just have to be better than just plain text.
    its going to work on just a 4 character PIN.

  2. #2
    Member
    Join Date
    Aug 2016
    Location
    USA
    Posts
    41
    Thanks
    9
    Thanked 16 Times in 11 Posts
    Will the hash be salted or not? If not, you might as well store the PIN in cleartext. If yes, you still don't want to implement anything yourself; The BCrypt api in Windows supports the following hashes: https://msdn.microsoft.com/en-us/lib...(v=vs.85).aspx
    I see PBKDF2 there, so there's at least one very strong (and slow) hash available.

  3. #3
    Member
    Join Date
    Sep 2007
    Location
    Denmark
    Posts
    856
    Thanks
    45
    Thanked 104 Times in 82 Posts
    #2
    It might get a salt. but its really not for something super secure. it just to stop people seeing the plain text password. nothing behind it that would value more than a few seconds of effort.

    thank you

  4. #4
    Member
    Join Date
    Jul 2013
    Location
    United States
    Posts
    194
    Thanks
    44
    Thanked 140 Times in 69 Posts
    For hashing passwords, the best choice is normally Argon2. If you're trying to sell software for US government use, PBKDF2 is probably your best choice since it's based on NIST-approved primitives. It's very easy to just drop an Argon2 or PBKDF2 implementation into your source tree, so for passwords I'm not sure how much sense it makes to use anything else. It doesn't matter if you don't have much coding experience, other people have already written the tricky bits for you.

    That said, no matter what you do 4 digit pins aren't going to be secure unless you store them in special hardware which limits the number of unsuccessful attempts; it's just to easy to try all 10,000 possibilities (even if they take 2 seconds each, worst case it's only ~5.5 hours to crack one). In this case, I'd probably just store the PIN as 32-bit number, XOR it with some salt (maybe the username hashed with something like djb2), then run it through a simple integer hash function. It won't be secure, but it should be enough to thwart casual attackers.

  5. #5
    Member
    Join Date
    Sep 2007
    Location
    Denmark
    Posts
    856
    Thanks
    45
    Thanked 104 Times in 82 Posts
    #4 its not for for any real security it just to avoid non/low tech pople from reading another persons pin. there is no value behind it of any real concerns. i just added it because i don like storing it in plain text. no external connection whatsoever

  6. #6
    Programmer Bulat Ziganshin's Avatar
    Join Date
    Mar 2007
    Location
    Uzbekistan
    Posts
    4,497
    Thanks
    733
    Thanked 659 Times in 354 Posts
    there are plenty of solutions. basically, it seems that you prefer something computable in a few operations (so no crc32), and mapping 1:1 to original value (to avoid both false positives and false negatives). there is the class of reversible operations for integers in given range - add const, xor by const, exchange digits, and multiple by comprime value (i.e. for 0..9999 range - not divisible by 2 or 5)

    so example of such hash - (x+1234)*5679 mod 10000

  7. #7
    Programmer schnaader's Avatar
    Join Date
    May 2008
    Location
    Hessen, Germany
    Posts
    539
    Thanks
    192
    Thanked 174 Times in 81 Posts
    Since it's only 10000 possible PINs, I like this approach (pseudocode):

    Code:
    seed random number generator with seed S
    generate an array A, filled with the numbers 0000..9999
    for N iterations, do:
      generate two random numbers B and C in the range 0..9999
      swap array elements A[B] and A[C]
    N should be some value above 100K.
    After that, use the entered PIN as an index to the array A and store it's value together with S and N.
    To reverse, generate the array again. You can either search the index to the value, create a reverse mapping array or use a map data structure that allows value->index in O(1).

    This shuffles the possible PINs and creates a bijective, reversible mapping. Creating the array takes longer than computing the hash, but after that, it's a simple lookup. Also, programming this is very straightforward and easy.
    http://schnaader.info
    Damn kids. They're all alike.

  8. #8
    Programmer Bulat Ziganshin's Avatar
    Join Date
    Mar 2007
    Location
    Uzbekistan
    Posts
    4,497
    Thanks
    733
    Thanked 659 Times in 354 Posts
    schnaader,you may like to discover https://en.wikipedia.org/wiki/Fisher...3Yates_shuffle

    my implementation:

    template <class T>
    void GeneratePermutation (std::vector<T> &arr, uint64_t init_rnd)
    {
    // https://en.wikipedia.org/wiki/Fisher–Yates_shuffle#The_.22inside-out.22_algorithm
    uint32_t rnd = uint32_t(init_rnd); auto a = arr.data();
    for (int i = 0, size = arr.size(); i < size; ++i)
    {
    rnd = 29943829*rnd + 1013904223; // https://en.wikipedia.org/wiki/Linear_congruential_generator
    T j = T((uint64_t(rnd)*uint32_t(i + 1)) >> 32); // generate PRN in the [0..range-1] range
    a[i] = a[j]; // if (i != j) a[i] = a[j];
    a[j] = i;
    }
    }

  9. #9
    Programmer schnaader's Avatar
    Join Date
    May 2008
    Location
    Hessen, Germany
    Posts
    539
    Thanks
    192
    Thanked 174 Times in 81 Posts
    Quote Originally Posted by Bulat Ziganshin View Post
    schnaader,you may like to discover https://en.wikipedia.org/wiki/Fisher...3Yates_shuffle
    my implementation:
    [...]
    Agreed, it's a bit more sophisticated, but guarantees success in exactly 10K iterations. So using this removes the need to store iteration count. Also note that using a fixed seed doesn't really matter here, as the LCG parameters can be chosen differently, so storing this is optional, too.
    http://schnaader.info
    Damn kids. They're all alike.

Similar Threads

  1. Pre-compressor project. Seeking collaboration.
    By Cristo in forum The Off-Topic Lounge
    Replies: 8
    Last Post: 20th August 2016, 14:46
  2. Perfect Hash Function to Hash Strings
    By joey in forum Data Compression
    Replies: 18
    Last Post: 22nd March 2016, 10:59
  3. Seeking image encoding benchmark
    By boxerab in forum Data Compression
    Replies: 4
    Last Post: 30th October 2015, 15:31
  4. Extremely fast hash
    By Bulat Ziganshin in forum Data Compression
    Replies: 36
    Last Post: 23rd August 2013, 21:25
  5. Fastest non-secure hash function!?
    By Sanmayce in forum Data Compression
    Replies: 13
    Last Post: 20th November 2010, 20:54

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •