I'm just playing around. Scratch is fun.

The project is here. It lets you verify a user without actually storing their password anywhere. You can set the amount of bytes used for the hash, and you can't tell if 2 hashes of different byte lengths are of the same thing without knowing what was hashed.

Sometimes it has a massive amount of zeroes in front of it…this is probably because of the small character set used on input.

Added salts. More secure now.

Anything that can be done can be undone, is that not true?

LiquidMetal wrote:

Anything that can be done can be undone, is that not true?

Yes, but a hash isn't an encoded version of the password. It's basically a randomized string based on the password.

Consider a CSPRNG (cryptographically secure pseudorandom number generator). You give it a “seed”, and it continues to give you “random” numbers, really just based off of this seed. The point of a CSPRNG is to do this without ever giving out enough information for somebody reading the “random” numbers to figure out what the seed is, so that they can't be able to predict the next number.

This is how I designed my hash function. First, it changes the bytes into one big number (which is unique for every sequence of bytes), and uses it as a seed for a custom CSPRNG. The CSPRNG then generates however many bytes you want; this is the hash.

It's extremely hard (impossible?) to make a hash function which doesn't have clashes (different things hashing into the same thing). The goal is to keep these clashes far away from what might be hashed.