saltedhash - perl: using Digest::SHA3, using basic example from online, the bit value of the output puts it at 160, which says is a weak hash length(?)

Question

i am using the following code to learn/familiarize myself with one-way password encryption, salting, and using them to verify a user on log in.

it works, i store the hashed password and the salt value in my database, i can retrieve both and compare against the plain text password, no problem.

my question is about the output, how secure it is, etc.

use Digest::SHA3;

$plaintextpassword='cheeseburgerandfries';

$salts = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ123456789";

$s1a = rand(62);
$s1b = rand(62);
$s1c = rand(62);
$salt = substr($salts,$s1a,1).substr($salts,$s1b,1).substr($salts,$s1c,1);

$sha1 = Digest::SHA3->new;
$sha1->add($salt.$plaintextpassword);
$encpw = $sha1->hexdigest;

which gives an output similar to

$encpw='7fd7d6e9b574fe6306be6c709d23050b5ad28f07e094403469229b6d'

when i take that value and run it through a text to bytes converter (online), i get

00110111 01100110 01100100 00110111 01100100 00110110 01100101 00111001 01100010 00110101
00110111 00110100 01100110 01100101 00110110 00110011 00110000 00110110 01100010 01100101
00110110 01100011 00110111 00110000 00111001 01100100 00110010 00110011 00110000 00110101
00110000 01100010 00110101 01100001 01100100 00110010 00111000 01100110 00110000 00110111
01100101 00110000 00111001 00110100 00110100 00110000 00110011 00110100 00110110 00111001
00110010 00110010 00111001 01100010 00110110 01100100

which i believe is 160 bits. as i'm really new to hashes and bits, i'm confused.

my thinking is SHA3 is 256 bit and up, so why is the output 160 bit. i may even be misinterpreting the data, or even the information that i'm gathering from research, so forgive me.

also, i'm certain there are easier/better/stronger/whatever ways to accomplish my goals, but i think my question is more along the lines of understanding bit length, etc.

also, i was reading that it may be best to use a salt value length equal to the output character length, meaning my salt value would be 56 characters just like my SHA3 output from above? i was thinking of using something rudimentary such as

$salts = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ123456789";

$sv=0;

while ($sv<56) {

$s1 = rand(62);

$newsalt = $newsalt.substr($salts,$s1,1);

$sv++;
}

$salt = $newsalt;

i did read about some module(s) that would give me truly random salt values, and i am interested in those, but my while loop seems to be doing the task, however unnecessary having a 56 character salt value is.

any help and guidance would be sweet. thanks!

• spewn

question from:https://stackoverflow.com/questions/65713633/perl-using-digestsha3-using-basic-example-from-online-the-bit-value-of-the

Answer 1

The hash you were provided is 224 bits in size (not 160).

The module's abstract says

The module gives Perl programmers a convenient way to calculate SHA3-224, SHA3-256, SHA3-384, and SHA3-512 message digests, as well as variable-length hashes using SHAKE128 and SHAKE256.

Wikipedia confirms that these (224, 256, 384 and 512) are the standard sizes.

If you wish to get a specific size, use

use Digest::SHA3 qw( );

my $sha3 = Digest::SHA3->new(XXX)
$sha3->add(...);
my $hash = $sha3->hexdigest;

or

use Digest::SHA3 qw( sha3_XXX_hex );

my $hash = sha3_XXX_hex(...);

Use an appropriate number of bits instead of XXX.