This bit of code is something I came up with a few years ago. I was trying to come up with a way to generate passwords and secure database names when I decided to build a function to do it for me. Basically, it takes your input, hashes it, then suggests potential passwords or database names.
I have no illusions that this is the most groundbreaking code snippet out there, but hopefully it will be of some use to people.
Since creating the original ASP function, I have made a PHP version of it as well.
ASP
This script requires the SHA-256 Digest script developed by Frez Systems Limited. It contains a SHA-256 hashing algorithm written for ASP written in vbScript.
In a nutshell, the script below takes a string, runs it through the hash algorithm, and returns a list of suggested database names or passwords. You can choose from a 16, 10, or 8 digit password with characters chosen from the beginning, middle, or end of the returned hash.
hashedResult = sha256(Request.Form("textToHash"))
Response.Write " <div style=""margin:1em;"">" & vbNewline & _
" Hashed Text: " & Request.Form("textToHash") & "<br />" & vbNewline & _
" Hashed Result: " & hashedResult & vbNewline & _
" </div>" & vbNewline & _
" <h3>Potential Passwords / Database Names</h3>" & vbNewline & _
" <div style=""margin:1em;"">" & vbNewline & _
" " & Left(hashedResult,16) & "<br />" & vbNewline & _
" " & Mid(hashedResult,(Len(hashedResult)/2)-8,16) & "<br />" & vbNewline & _
" " & Right(hashedResult,16) & "<br />" & vbNewline & _
" </div>" & vbNewline & _
" <div style=""margin:1em;"">" & vbNewline & _
" " & Left(hashedResult,10) & "<br />" & vbNewline & _
" " & Mid(hashedResult,(Len(hashedResult)/2)-5,10) & "<br />" & vbNewline & _
" " & Right(hashedResult,10) & "<br />" & vbNewline & _
" </div>" & vbNewline & _
" <div style=""margin:1em;"">" & vbNewline & _
" " & Left(hashedResult,8) & "<br />" & vbNewline & _
" " & Mid(hashedResult,(Len(hashedResult)/2)-4,8) & "<br />" & vbNewline & _
" " & Right(hashedResult,8) & "<br />" & vbNewline & _
" </div>" & vbNewline
End If
Response.write " <form action=""?"" method=""post"">" & vbNewline & _
" <fieldset>" & vbNewline & _
" <label for=""textToHash"">Text to hash:</label>" & vbNewline & _
" <input id=""textToHash"" name=""textToHash"" type=""text"" maxlength=""255"" />" & vbNewline & _
" <input type=""submit"" value=""Hash Text"" />" & vbNewline & _
" </fieldset>" & vbNewline & _
" </form>" & vbNewline
If Request.Form("textToHash") <> "" Then
Response.write " <div style=""margin:2em;"">" & vbNewline & _
" <a href=""?"">Clear Page</a>" & vbNewline & _
" </div>" & vbNewline
End If
PHP (Demo)
The PHP implementation of this script is nearly identical to the ASP one. The primary difference is that PHP has hash algorithms built in. This script fetches a list of the algorithms available on your server, and populates a dropdown box with them. This gives you the flexibility to use any number of different algorithms, increasing the security of your password or filename.
if ($_POST['textToHash'] <> '') {
$hashedResult = hash($_POST['hashMethod'], $_POST['textToHash']);
echo ' <div style="margin:1em;">
Hashed Text: ' . $_POST['textToHash'] . '<br />
Hash Method: ' . $_POST['hashMethod'] . '<br />
Hashed Result: ' . $hashedResult . '
</div>
<div style="margin:1em;">
Potential Password / Database Name (First 16 digits): ' . substr($hashedResult,0,16) . '<br />
Potential Password / Database Name (Middle 16 digits): ' . substr($hashedResult,(strlen($hashedResult)/2)-8,16) . '<br />
Potential Password / Database Name (Last 16 digits): ' . substr($hashedResult,-16) . '<br />
</div>
<div style="margin:1em;">
Potential Password / Database Name (First 10 digits): ' . substr($hashedResult,0,10) . '<br />
Potential Password / Database Name (Middle 10 digits): ' . substr($hashedResult,(strlen($hashedResult)/2)-5,10) . '<br />
Potential Password / Database Name (Last 10 digits): ' . substr($hashedResult,-10) . '<br />
</div>
<div style="margin:1em;">
Potential Password / Database Name (First 8 digits): ' . substr($hashedResult,0,8) . '<br />
Potential Password / Database Name (Middle 8 digits): ' . substr($hashedResult,(strlen($hashedResult)/2)-4,8) . '<br />
Potential Password / Database Name (Last 8 digits): ' . substr($hashedResult,-8) . '<br />
</div>';
}
echo ' <form action="phpHash.php" method="post">
<fieldset>
<label for="textToHash">Text to hash:</label>
<input id="textToHash" name="textToHash" type="text" maxlength="255" /><br />
<label for="hashMethod">Hash Algorithm</label>
<select id="hashMethod" name="hashMethod">
';
$hashArr = hash_algos();
for ($i = 0; $i < count($hashArr); $i++) {
echo ' <option value="' . $hashArr[$i] . '"';
if (($i == 0 && $_POST['hashMethod'] == '') || ($hashArr[$i] == $_POST['hashMethod'])) {
echo ' selected="selected"';
}
echo '>' . $hashArr[$i] . "</option>\n";
}
echo ' </select>
<input type="submit" value="Hash" />
</fieldset>
</form>
';
if ($_POST['textToHash'] <> '') {
echo ' <div style="margin:2em;">
<a href="phphash.php">Clear Page</a>
</div>
';
}
?>
Final Note: As a rule, I would recommend that you not store databases and other secure files in a web accessible directory. While a hard-to-guess filename is a form of security, and is certainly an important part of it, security through obscurity is hardly a reliable method of preventing intrusion. As such, I strongly suggest that in addition to using secure names for important files, you store them above your root web directory whenever possible. Obviously this is not going to be possible all the time. However, if you get into the habit of storing secure files in a location that is not accessible via the web, you will have taken a large step in securing your information.
No related posts.
There are no comments yet.