21 Computing, Information Systems, Development Informatics & Allied Research Journal Vol. 8 No. 1, March, 2017 - www.cisdijournal.net Empirical Evaluation of Data Hashing Algorithms for Password Checks in PHP Webapps Using Salt and Pepper Ajayi, O.O. 1 Department of Computer Science Faculty of Science, Adekunle Ajasin University Akungba-Akoko, Ondo State, Nigeria olusola.ajayi@aaua.edu.ng Falana, T.F. 2 Department of Science and Technical Education Faculty of Education, Adekunle Ajasin University Akungba-Akoko, Ondo State, Nigeria fredrick.falana@aaua.edu.ng ABSTRACT Authentication is key in any network setting. It is an act of verifying and disallowing the penetration of false or fake data. The quest to ensure adequate authentication gave rise to the design and deployment of different hashing algorithms. Researches have however shown the different hash algorithms having different loopholes. This study furthers existing works in this domain by examining the existing hash algorithms. The experimental work considers the password check, testing with SHA256, SALT, BCRYPT, CRYPT, and MD5 and injecting Pepper code to the algorithms. Just as it is in the domestic world, the result shows that adding Pepper to Salt proves a more secured algorithm for preserving and protecting password. Keywords: WebApps, Hashing, Algorithm, Security, Cryptography, Salt, MD5, SHA, Crypt, BCrypt, Pepper. CISDI Journal Reference Format Aziken, G.O. and Egbokhare, F.A. (2017): Resolving the User-Developer Requirements Elicitation Conflict Using a Psychological Lens Computing, Information Systems, Development Informatics & Allied Research Journal. Vol 8 No 1. Pp 21-28. Available online at www.cisdijournal.net 1. RESEARCH BACKGROUND Web Application introduced in 1990, was a general, delivery mechanism. It is transform from a for static hypertext documents to a complete dynamic run-time environment for multi-party and distributed applications. The emerging trend was popular in peer- to-peer web applications and multiple applications. But the transformation of the web application from the server-centric model creates a significant and numerous challenges in web applications security (Alanazi & Sarrab 2011). MD4 was the first widely used dedicated hash function. Developed by Rivest in 1990, it started encountering attacks after which Rivest created MD5, a stronger function in 1992. However, Den Boer, Bosselaers and Dobbertin reported semi free start collision and pseudo collision attack on MD5. By the mid-1990s, BSD extended DES-BASED crypt to properly support long passwords and permit configurable iteration counts of up to 725 iterations, along with 24-bitsalting (Peslyak, 2012). In 1994, FreeBSD introduced the MD5-based crypt library, which enables the use of long passwords and 1000 iterations of MD5 with up to 48-bit salting. Most Linux distributions adopted the FreeBSD MD5 library by the late 1990s. Early rainbow table attack tools, such as Qcrack and BitSlice, were released around 1997, thereby allowing fast pre-computations of DES hashes while supporting salting designed to attack a dictionary with 4096 possible salts. As computers and users became connected and networked in the late 1990s, password attacks extended to networks. During this period, non-switched Ethernet was a commonly used technology. Passwords were secured at rest but usually transmitted across networks during operation (Peslyak, 2012). In the early 1990s, attackers targeted passwords in transit by sniffing compromised servers, thereby intercepting passwords transmitted by all the users in a local segment. Developers adapted to the networked computing movement and implemented challenge response pairs, Kerberos, S/Key, and SSH to provide network authentication without exposing protected keys or passwords. With the expansion of the World Wide Web, web application authentication became widely adopted. This innovation also extended the allowable password length and highlighted the need to secure passwords. In the late 1990s and early 2000s, numerous web developers built application password security around the PHP MD5 module. However, the adopted PHP MD5 hashing function lacks password salting and reiteration (Peslyak, 2012).