Skip to content

Password Hashing

CypherX edited this page Mar 20, 2012 · 2 revisions

From version 2.0 and onwards xAuth has hashed passwords using the Whirlpool hashing algorithm combined with a randomly generated salt.


Example

Plaintext: password
Hashed: cb5ef15b400cef07addb37e00e2cdd6d1b508a2a26f0befcb0f9d8fd03c1d67be1690eba2287c4f76a590f2feae654ce5aee9943a23babb8e56381fe3214a48ad8754a1fd9eb

How does it work?

1. First, the salt is created by taking the first 12 characters of a randomly generated Whirlpool hash.

400cef07addb

2. Next, the salt and plaintext password are combined and hashed.

400cef07addbpassword
cb5ef15b37e00e2cdd6d1b508a2a26f0befcb0f9d8fd03c1d67be1690eba2287c4f76a590f2feae654ce5aee9943a23babb8e56381fe3214a48ad8754a1fd9eb

3. Finally, the salt is inserted into the previously generated hash at a position determined by the length of the plaintext password.

cb5ef15b[[400cef07addb]]37e00e2cdd6d1b508a2a26f0befcb0f9d8fd03c1d67be1690eba2287c4f76a590f2feae654ce5aee9943a23babb8e56381fe3214a48ad8754a1fd9eb

For more information, click here.


PHP Function

function encryptPassword($password) {
	$salt = substr(hash('whirlpool', uniqid(rand(), true)), 0, 12);
	$hash = hash('whirlpool', $salt . $password);
	$saltPos = (strlen($password) >= strlen($hash) ? strlen($hash) : strlen($password));
	return substr($hash, 0, $saltPos) . $salt . substr($hash, $saltPos);
}
function checkPassword($checkPass, $realPass, $algorithm) {
	switch ($algorithm) {
	case 1:
		return $realPass == hash('whirlpool', $checkPass);
	case 2:
		return $realPass == hash('md5', $checkPass);
	case 3:
		return $realPass == hash('sha1', $checkPass);
	case 4:
		return $realPass == hash('sha256', $checkPass);
	default:
		// xAuth hashing
		$saltPos = (strlen($checkPass) >= strlen($realPass) ? strlen($realPass) : strlen($checkPass));
		$salt = substr($realPass, $saltPos, 12);
		$hash = hash('whirlpool', $salt . $checkPass);
		return $realPass == substr($hash, 0, $saltPos) . $salt . substr($hash, $saltPos);
	}
}
Something went wrong with that request. Please try again.