Is md5 the best way to scramble your passwords? I have been reading that it can be breached?
CSS Codes
Senior Coders
md5 Password Scramble
Is md5 the best way to scramble your passwords? I have been reading that it can be breached?
Senior Coders
yes. MD5 is not currently decryptable.
This:
Would be an example of how to use hashes.PHP Code:Password Is:
<?php
$hash = "something"; //equal to md5("correct password") I don't have a server on hand... cant make a hash
if (md5($_POST['pass']) == $hash) {
echo "Correct";
} else {
echo "Incorrect";
} ?>
Also, if someone got a hold of the DB output, then they couldn't login becaus they dont know the string that created the hash.
Modtoreador
Not breakable, no, but there are several problems with collisions, where, given a certain hash, it's possible to generate other strings that will cause that same hash, so they could still log in.
It's better than nothing still, but people are starting to move towards SHA-1 (sha1() function in PHP).
Twey | I understand English | 日本語が分かります | mi jimpe fi le jbobau | mi esperanton komprenas | je comprends français | entiendo español | tôi ít hiểu tiếng Việt | ich verstehe ein bisschen Deutsch | beware XHTML | common coding mistakes | tutorials | various stuff | argh PHP!
Senior Coders
I have been using a scramble function which was created, is this no where near as safe as using SHA-1 or md5?
Modtoreador
Unless you're a military-class professional cryptographer or very, very lucky, I sincerely doubt it
Twey | I understand English | 日本語が分かります | mi jimpe fi le jbobau | mi esperanton komprenas | je comprends français | entiendo español | tôi ít hiểu tiếng Việt | ich verstehe ein bisschen Deutsch | beware XHTML | common coding mistakes | tutorials | various stuff | argh PHP!
Senior Coders
I just read this on php.net
Should I steer clear of sha1?Note that the sha1 algorithm has been compromised and is no longer being used by government agencies.
As of PHP 5.1.2 a new set of hashing functions are available.
http://www.php.net/manual/en/function.hash.php
The new function hash() supports a new range of hashing methods.
echo hash('sha256', 'The quick brown fox jumped over the lazy dog.');
It is recommended that developers start to future proof their applications by using the stronger sha-2, hashing methods such as sha256, sha384, sha512 or better.
As of PHP 5.1.2 hash_algos() returns an array of system specific or registered hashing algorithms methods that are available to PHP.
print_r(hash_algos());
Modtoreador
Oh, I didn't know that. Yes, use SHA-256 then. I really should keep up with cryptography news.
Twey | I understand English | 日本語が分かります | mi jimpe fi le jbobau | mi esperanton komprenas | je comprends français | entiendo español | tôi ít hiểu tiếng Việt | ich verstehe ein bisschen Deutsch | beware XHTML | common coding mistakes | tutorials | various stuff | argh PHP!
Senior Coders
It is true that some md5 inputs have the same hash generated, but people should write their scripts smarter, not just using the latest encryption methods.
This almost eliminates the possibility of someone stumbling upon a password with the same hash, AND the same appended hash.PHP Code:Password Is:
<?php
$hash = "md5($correct_password)";
$appendedhash = "md5($correct_password."fixed string")";
if ((md5($_POST['pass']) == $hash) && (md5($_POST['pass']."fixed string") == $appendedhash)) {
echo "Correct";
} else {
echo "Incorrect";
} ?>
I hope im making sense...
Modtoreador
Yes, it does help, but if the database is compromised it makes sense to assume that the filesystem is compromised too, so it's quite likely that the attacker will have access to this appended string already. It's good for the off-chance that the attacker has database access but not filesystem, though.
Twey | I understand English | 日本語が分かります | mi jimpe fi le jbobau | mi esperanton komprenas | je comprends français | entiendo español | tôi ít hiểu tiếng Việt | ich verstehe ein bisschen Deutsch | beware XHTML | common coding mistakes | tutorials | various stuff | argh PHP!
Posting Permissions
Reply With Quote
Bookmarks