Long passwords on wan show

[Jason Arencibia]

<?php
//4098 char password
$pblock = "fn7zTbfzGxrBAML8RG8VAtG1QQdaXl1aYjFVTr3oGyRIsX3ySVVnnorIsjyPqsesiIctaGbwoBtxD2QQ7efjsKprJRYNeWuLyO5D3D4Z9LSq2AidsXnLGzvfH4w075xHIuApi3A8banEr54TdUVf268CvqMueriCYtOVQ14q99Sa3nuY7C14hXKIQl7wHgYSHz1evZybBKMFX0yWLTmhAe2T4atKKb4fNFD5AKf8FHYkmmeamqpAMZINleMGFaNrV8DJFTHCXteKirQooP2uAdBVcKcw7bbsxUuhMHYCa898x3NwgtsfonJLaVE0gz77HSV5QPWosYDjjprx5RVvgMvgz3dhsbtGk3WtN0KgWqoJ7YIlA9EaUaH4WMQPO4kfpHBQ3Lpvjy38MnFtEbZSI7CRwDe6t7WAFvkCnTyPmTmADG42HsV7Zw1day9hNzsotAIvNYthg8xWUBbOWsp3z9rtRb7Oy0yEAfMAKIBiSfOMuUj6uHNJiJOBk1UUDACNNAyzS6ojRu05jvWIRUIS519tRdDN3nrSftfk5Ddt2bFNsNpNW3p2uj4lmlz6TbPQfzl47856Uc2vhJ8Futx1CH2lOucsRHOPpPD1LLH0YRKT81s0aUcpLbrVEuo5xuAN6mUfS7Sh3FFR4kcUs41vOMH4yG6Vw5PM0KUKQA9SHqenPRHTExcMm7gpB1hVclQloOHrJqvFmRSdO9U4HpgwG2nvLEsofTHxt1kEhbG6o160mRbH5ikikpyVUe0bQxNLAYTZyz521re1VoqVlQGnmizZY2CltCNCdLyXMwoEozgKaDLW9ESloIdk0mdX4gZ0A3foFdTIFnNp0ptmqCGybsZeKYRBV3PjaBrx2L28LBf5v3hnFPCJVOXLb7LtuHkltq2sFYDc2jTb3vXtN6teYie2eqDbo2AsmPkUcK9DwQyL3eWCLMgM5h2VtsBEeqs7ZBMRsxOAwNDfJ7UCe1cp0SxdYMjObpFfC4iHceM6N4AYl4hJgWxYOLTZYEu0Za81XO4O7p9CUysg7PgNq4Ce3FHI6ILr3mAL0CyZSMqfzFgZIEVi7rPVojAe8bzXYJQXCfBCvNGPoVCYk29aKKcGSASnIAeARgAhg1ZZgfu64EWJJMqLmszzu33plOXaRxq9JOTB0cPccwzVs3iKfV4SdDhyYgQHd4JMKnoNuUuoX3VNhNRgJpZVfaKKszITpHpdL4OoElbY6hg2YLvVlIdzdo2FL9WBskiVZP7pCtOlauDbjctExEDYDeXm7YitQTa93HmOdprWHgRbs0rYwvNY3Gfu23r1zYel0PXoa0ySKlt2nWNQxX0lHexh8Enpxx1ZXrmwYncfoaSII8vCVhCF6cd1oVQEsXWXOWNW2ihWQWa8e6E4p9yqL2LFFo4WQEuyVQz2xhamjpalx5AwHZF5IgGBKGF4JgsYDzlbPtBBSj3n9LnBd52pMgUAPMBruKIVn7YkWPUUc6F2Gs1dDhfAdMv1TCJHYXR0C4awYZQMwkG7depNrXe2kUrPFrITUwQ20c39pn87esWxIct2P3S5AHXHR9ZNeOAcBUCdv1br3bnJqAfTJD24BSEnxE2AhyFuBbuzKHfghpRvxYbzxRGLi8U19F5DcDOh1MGD82k77o1puapBHtVOw9TEH1wChuDmFlqKpL5yeOfw9okU5ojKnVe3v4svY66LahOjqTlLa93AUIzvL4Gcwwc56IMhjGgNKZlpqYKc5pw406BArepd0b5YHwHmT5K7j1XAuFzkboSwPEKEHmIbFQxK3zFJ9tzrk09tHjbtWWQ79iYTHizpexKQlKzGag6jw4rwySRioxYnRUYGt0PJ1nRFmBp2M5uCz0B3kVFiMhDJtBxQtzVF9gjgMBePWtTg427LtRple8zdgnpv1eoo7xkbbEawU4kr1cr4rnWmiuow00hN0uBSHVbbLukzSEG0FjUAEdEomZdm3rqMNY8FmM3rWCP3Cfm5nFiMGHjWE06osMgv9pCe2Z2lpo4IvEbXJq1pMBZdSMRUZbEWQM0Dp2jK1MExRJDvV82pTMw13x8uiqdG5lj70v2KgECoZ6JQzKq6SiraaqyONVSt3IJcQ1O3SXGPjUtsFrcRLg6aic5lVHhWSOguzXr7CpVQhqW9NMHXRbNRMhkNEofjhNHSskCWUCAHrxu0cV4OjSPuxSK7MxADIGoFYLlOY9wuNg7qZdnqqgzwf17ARKspLB4gIT2hNieiPBEhtAkFge45hN7JmGzzIq8YJuELyG1NI6rCB7sIPodTpU4f7IjJDJ8yp9wxnrvSFbitHfcGyBCMW4ijPHewm67ZWNTGFV94IeeCSojOddCh4OEO0prZa9rjhzAR3dg199Yr5ypaWSm0YLwCUUc3obQaBDLSYf8mjkFZZ63siLhE9RbNaENga333y1wBvdJEpCUXJb0PpavO55mtDMediXW6xtOxXjnkUYLvy0QC4fpaozG9R6Czy4faeD1OKxqRDVbmThJR8UCYCoZh9j4QU6EI8OcN44bJzATsMu8n48aOzMHpTct7eoHMP5KTg7NTVJ10brz7JkVokY8FRo4oCRIEyH8dPTUORDKGo9yowa2ehousBSHckzbY46lNipkGQtIFHZdbda9p8IwLm3wQC9xj5RQPVXCVop2REDwkrWVFy0QFUU1xgdUgihZq2VLcCo5vCwWk9Tfnf7RNLvqkvsMIDTi2H3XIwBl6gioghc4JIk4010uY7ReB6k0MttH6g7fy666mXjRJA3hVDwLfE9VCDOQVKH6T4RiXPuddDaOg9tjzPu2TcwHywJqF3gDw1QH8avNPQVkK16MBuvu87sTZFaKfp4vlpmnCCu93NKdFTxn5TkRrjCxL4Svy0qahPMJbT58pp3TPDYvF7arH15fvv9RRbrjPGj0Q64xAMuP2XLFfKm5nyQfsyzme9CpSlvWsEkdxwmoO2evLRwnEJ86qjHbpvbgGlOESmOFAzZshsrJ4P1EPjBd92cMwGSSXbT0jskH34ZbGKfj8eAP9UUaoEdNYG6uLZpxa3Ubn455jKZz8aLGE01920OUfgft5LWYKTfLadcBkOC7xGCfJJ9H02m75hcg6wCT0xPTGDUQdImnF6LngkUnJl4rsLGHbSKZdN8tdqcgpGt7l3yEqLgva5BMD7jUdu0emnboDsBfb11YaYxhRU4BTDsMvJ6NPSm9zc1udKVi080BIiQgGGKBPYpeQv9p6KzbRv0bL4Z27rSn8LIfHtsWPGuvrk3SdMSIWOGhmwaiYoxnJWv0mMeITLQ1A4uEyPbXNgxwBYsLyFTSTU8UGb6JEw4YDicbOgAh5H5qbSO5TnuD7yuBPSO1WSRqdKW9QsF1VX3FgjLlPQ5p32m7S3BB6xnDC6UPh9VyO486yPRA6xbaInnwP3DUcxvNY667STSpFNKovZQ1t9js5G1uBNqFIt5Dg66wrBrAjPVn4OfTGMnMAUSybq9L5kDsmCqrTFkjZhQLvUNCk6LmtkPc1hmUywRguAW25rFb3dkjGFqdtQMDrrgQBGkPL2JJh3T3T02JZ1iDSfRNARrSiWdRnE5uKLLxCsPhFnoqk792YCOCmg272WMu1bRODW6fYt58mUJ0VoCLNDn1jW8zxzQw58vzmuMM873IdInmfjsJKuZsBEjxsK7ToFg3NbIT7kMOKaeag7hVyZ9cKxka7dTm02qGfCJtfy3XcGobMoxsjIz9pbwvsOjmj3k8qFIvCQfIr4hhGclilQJLVN2Iexer02Z0b3TmLQR3KsggKdiXYK9QRNEbHujqbUhzD27YU2wmaFI5x65U48JbGaHLdRjMAuAK4bzWTFHvrRrK1OeGujOKUX0AIoqmtvCqAfwkzYFC7UR4lOBhPI6lMqNX7j3Ljudlkl5Qh3lEYaDn6ZIWLmq15OKTbgPlLcxJ6dDZMxf1Duqa5MUJlzHK68KKoXbU2ElL86ND8fP4I3y4fnFjnJtsCjp288S9w9JB67TyejfbivdgragpkZf3NE37oWzShapO2grsOBPlWuTGzaV4VtcqtkSM2EHLmOv05Z3ydA4FDEk5isIW7XdhxVfaDFoDJUg20IgXlQY1xZXBHLJ";


echo encode_passcode($pblock);

function encode_passcode($pass){
    $SERV_SEED = 'MDAwMDAwMDAwMDE5ZDY2ODljMDg1YWUxNjU4MzFlOTM0ZmY3NjNhZTQ2YTJhNmMxNzJiM2YxY';
	$nonce = strlen($pass) + hash_sum($pass) + hash_sum_ord($pass) + hash_sum_ord_alt($pass);
	$_pass = hash('sha512', $nonce.'::'.$pass.'::'.$nonce,$nonce.'::'.$SERV_SEED.'::'.$nonce);
	$crc = 'Jn60J8e6';//crc32($_pass);
	return (string) hash('sha256',hash('sha512', $crc.'::'.$_pass.'::'.$crc,$crc.'::'.$_pass.'::'.$crc));
}

function hash_sum($hash){
	return (int) array_sum(preg_split('//', $hash, -1, PREG_SPLIT_NO_EMPTY));
}

function hash_sum_ord($hash,$dud=null){
	$_h = preg_split('//', $hash, -1, PREG_SPLIT_NO_EMPTY);

	foreach ($_h AS $key => $val) {
		$dud[] = ord($val);
	}

	return (int) array_sum($dud);
}

function hash_sum_ord_alt($hash,$dud=null){
	$_h = preg_split('//', $hash, -1, PREG_SPLIT_NO_EMPTY);

	foreach ($_h AS $key => $val){
		$dud[] = ord($val)/62;
	}

	$mult=array_sum($dud);
	foreach ($dud AS $key => $val){
		$mult *= $val;
	}

	return (int) ceil($mult/65536);
}

Some of this is needed for other crap in my scripts, I'm just off to work so left the odd ord functions. just wanted to say, you can let people use any length password they feel safe with, and "HASH" it down to a 64bit string, not just crop it to 64 charters!

this is missing the closing ?> i tested online and forgot before adding to post.
http://sandbox.onlinephpfunctions.com/code/327549c1ecbcce30f7a15106b355d37c65f3c7e8

[Eric The Tech Guru]

So what Luke was talking about is likely BCrypt which is a very secure and awesome hashing function that uses the Blowfish cipher as part of the hashing process. Blowfish has a maximum key size of 448 bits (or 56 bytes), though in the bcrypt algorithm, it processes things with 18 x 32-bit subkeys (which comes out to 72 bytes total, so 71 bytes not including terminator at the end of the string). However if we take UTF-8 into consideration, any UTF-8 string that exceeds 72 bytes is truncated to 72 bytes, so some UTF-8 characters exceed that on their own. The real solution is to pre-hash passwords using something like SHA-256 and then passing the SHA-256 hash (which are fixed to 45 characters including null) into the bcrypt algorithm, which will allow arbitrarily long passwords (though you might want to limit it to 1024 or something to prevent annoying DOS through password submission).

 

There's a really good writeup on it on security stackexchange here - https://security.stackexchange.com/a/184090

[Jason Arencibia]

24 minutes ago, Eric The Tech Guru said:

So what Luke was talking about is likely BCrypt which is a very secure and awesome hashing function that uses the Blowfish cipher as part of the hashing process. Blowfish has a maximum key size of 448 bits (or 56 bytes), though in the bcrypt algorithm, it processes things with 18 x 32-bit subkeys (which comes out to 72 bytes total, so 71 bytes not including terminator at the end of the string). However if we take UTF-8 into consideration, any UTF-8 string that exceeds 72 bytes is truncated to 72 bytes, so some UTF-8 characters exceed that on their own. The real solution is to pre-hash passwords using something like SHA-256 and then passing the SHA-256 hash (which are fixed to 45 characters including null) into the bcrypt algorithm, which will allow arbitrarily long passwords (though you might want to limit it to 1024 or something to prevent annoying DOS through password submission).

 

There's a really good writeup on it on security stackexchange here - https://security.stackexchange.com/a/184090

yeah, that is what this was trying to demonstrate, I changed the sha-512 to sha-256 explaining that hashing long passwords to a usable length is an option.

[lewdicrous]

@Slick

[TetraSky]

I find it funny that people are complaining about the password characters limit of 72, which lets face it, is already A LOT and is near impossible to brute force with current PC tech in any reasonable amount of time...

 

When our shitty government gets away with this bullshit and nobody talks about it

 

There are priorities in life and having passwords greater than 72 on a simple video platform online, isn't one.

 

[Jason Arencibia]

2 hours ago, TetraSky said:

I find it funny that people are complaining about the password characters limit of 72, which lets face it, is already A LOT and is near impossible to brute force with current PC tech in any reasonable amount of time...

 

When our shitty government gets away with this bullshit and nobody talks about it

 

There are priorities in life and having passwords greater than 72 on a simple video platform online, isn't one.

 

I agree! More than length, I hate how one site restricts some characters, another restricts other charters. The longest I use, and remember is "between" 16 and 24 characters, and would NOT work with that example site!!!

I just chimed in because I can see people wanting to have longer strings for a PW, and hashing them down to a manageable size is an option. maybe, if they have some kind of usb key system that stores some super long password string, and it's the only place the pw is saved so only one person can access and upload content, like fort knox of channels, idk. XD I like Steve @ GN but he sounds like someone who would have fort knox level PW for his channel! XD Linus, if I die, the team still has a job; Steve, if I die, the team is S.O.L.! XD

Side note, I bet that gov site also stores in plain text, that's why they restrict charters, so their login doesn't see charters in a PW as EOL, and freaks out the PW system allowing any PW. >.<

idk, I just like encrypting the crap out of things, and the code snippet I shared is part of much more, I made a cross-platform polymorphic encryption script, so the set 128 charter length of sha-512, chr ords, what character is in certain positions in that 128, etc, etc helps with the first part and other times with entropy in my script. BUT, i'm crazy like that! XD