so i have a login system and i have used some security measures to make it secure. Firstly i salt my passwords:
$salt = openssl_random_pseudo_bytes(1024);
file_put_contents("salt.txt", $salt);
Next i hash it using the whirlpool algorithm:
function myhash($password){
$salt = file_get_contents("private/salt.txt");
$password = hash_hmac('whirlpool',$password,$salt);
return $password;
}
This is an example of the password that would get returned and stored in the Database:
56a8cf545750eec78cb58582829636b1e0378cf0fff4982305a7171f06593fb92735d3576f0ad7ba8aec40c914abc38424885cb7ac2672b1d8da36e3b95c80ce
Now my question: If a hacker was able to recover that long string above, would they be able to somehow reverse/decrypt it to return them the actual password. Let me know what you guys think/know, is it impossible?
This is not a thread for people to suggest other things to me, please keep answers strictly related to the single question.
Short answer "NO". whirlpool is fairly strong hashing algorithm (not encryption algorithm as encryption assumes ability to decrypt in some way). Salt (AKA shared key) just makes is even stronger. But having the same salt for everyone does not make it much weaker but makes it possible to find out who has the same password (without knowing the password itself).
Better use of salt is that it is randomly generated before use in hash function (and it does not need to be 1024 bytes - 8 bytes is more than enough for salt) and then prepended to resulting hash. This way function which will check the password knows which salt must be used and what hash is expected.
Whirlpool algorithm has no known weaknesses and uses 512 bit. Therefore it is regarded as secure. However I personally have two negative views on it:
So my personal view is that nothing wrong with your code and it is quite secure. But you may be better off switching to SHA512.
Only way to recover password from that long string is brute force for VERY LONG TIME (if password is strong of course) or may be using some technology from NSA :)