# Removing characters from a password to improve security?

• Posts: 214
• Loc: Sweden

3+ Months Ago

I got an idea when reading about MD5() function that produces hashes for passwords. The problem is that if a person hacks the database they can extract passwords from it using rainbow tables. Many users uses the same password everywhere and if the database contains emails the hacker could potentially find some real private info, and the users gets angry at the site for leaking their password.
At least I would.

But I got a idea to make the database almost completely useless but its not completley flawless and I would like to hear thoughts on the idea. Lets say we have a site where user have to signup and chose a password at least 8 characters long. The site then however removes the last 3 chars and replace it with a string like "abc" and hashes the password. Basically what this should do: IF a hacker gets the database AND compromises the hashes he would be there with "half" passwords, pretty much making the passwords useless even if the user have the same password on several sites.

The hacker can then only guess if he/she wants the full passwords witch makes the work time consuming, and gives the users plenty of time to change their passwords.

The only weakness with this would be that the passwords at login becomes shorter and perhaps users is easier to bruteforce, if a hacker just want to login as them at our example site. For instance if the users password is: "donthack", the hacker would succeed to login with a guess such as: "donthave" since the three last will be replaced with abc in any cases and then hashed. Is there a way around this weakness? What do you think about the idea?
• Genius
• Posts: 8485
• Loc: USA

3+ Months Ago

1) Substitute a number for every letter respectively to their order in alphabet... a, b and c would be 1, 2 and 3 respectively z, y, and x would be 26, 25 and 24 respectively. Then multiply each number together (If password is abc, then 1x2x3) and then md5 the end result. You could use a variant of this idea or something to make a more secure password hash.

2) MD5 the password and set it to \$hashed. MD5 the MD5'd password and set it to \$hashed2. Combine the \$hashed with \$hashed2 and MD5 it again.

3) Use a different random salt per each password.

4) Do your idea, but instead of replacing the last 3 letters, just add random letters in between the letters of the submitted password... or just after the password.

5) Hash the password backwards. (If the user submitted donthack, hash it as kcahtnod).

don't know if those suggestions would work... just trying to be creative
• Posts: 214
• Loc: Sweden

3+ Months Ago

Bogey wrote:
1) Substitute a number for every letter respectively to their order in alphabet... a, b and c would be 1, 2 and 3 respectively z, y, and x would be 26, 25 and 24 respectively. Then multiply each number together (If password is abc, then 1x2x3) and then md5 the end result. You could use a variant of this idea or something to make a more secure password hash.

2) MD5 the password and set it to \$hashed. MD5 the MD5'd password and set it to \$hashed2. Combine the \$hashed with \$hashed2 and MD5 it again.

3) Use a different random salt per each password.

4) Do your idea, but instead of replacing the last 3 letters, just add random letters in between the letters of the submitted password... or just after the password.

5) Hash the password backwards. (If the user submitted donthack, hash it as kcahtnod).

don't know if those suggestions would work... just trying to be creative

All of your suggestions are good ones and should make hacking the hashes harder since they remove common words (witch probably is the first a hacker would test for). Suggestion 2, sounds very complicated tho and I'm not sure what the output would be, but should protect ORGINAL pass I guess. : O

I guess combining my suggestion with a salt is not a issue and a very good way to make rainbow-tables "even" less useful. However the point with replacing instead of just inserting extra(s) would be that EVEN if the server is badly compromised and the PHP code is leaked with the database, there is still no way to get the last 3 without guessing. If you add lets say 4 letters in the end this can be seen on the PHP code so the hacker can if he cracks the hashes probably just remove the 4 last chars in each occurrence and would have the users password.

The point with my code was that even if you hand the hacker the database and the PHP code and he cracks some or all hashes he would still have no way to know what the last 3 is, since that isn't stored anywhere. And the users with the same password on (email) or similar is a bit more secure.(I hope)

Anyway I'm no expert so I'm just guessing.

=P

## Post Information

• Total Posts in this topic: 3 posts
• Users browsing this forum: No registered users and 50 guests
• You cannot post new topics in this forum
• You cannot reply to topics in this forum
• You cannot edit your posts in this forum
• You cannot delete your posts in this forum
• You cannot post attachments in this forum