Password encryption... I think md5 it's called (or something?)
What exactly is the point of it?
If you use it and somebody hacks into your database and gets the md5 versions of the passwords can't they just UN md5 it and get the correct password from it, or does it not work like that?
Full Version: Password Questions...
md5 is a one way encryption. Although since it's become popular a lot of people have "unencrypted" it by basically making a script that encrypts a list of words and saves the unencrypted word and the md5 encrypted word in a list. Then they can search this list for your md5 hash of your password and get your pass that way.
But if you have a good secure password that wouldn't be found on a dictionary list then your alot safer.
Try md5 encrypting a simple word like password then google for "*insertmd5hash*" and it'll show a bunch of sites that list that hash unencrypted.
Sorry for the rough explanation, if you don't understand what I'm saying I can explain better tomorrow.
But if you have a good secure password that wouldn't be found on a dictionary list then your alot safer.
Try md5 encrypting a simple word like password then google for "*insertmd5hash*" and it'll show a bunch of sites that list that hash unencrypted.
Sorry for the rough explanation, if you don't understand what I'm saying I can explain better tomorrow.
Once again, as usual, thank you for the good information.
You're one of the few people who actually DESERVE the Website Hosting Trusted Helper badge, as for what I can see you're one of the few people who have it that actually HELP people.
Thanks!
You're one of the few people who actually DESERVE the Website Hosting Trusted Helper badge, as for what I can see you're one of the few people who have it that actually HELP people.
Thanks!
Got one paragraph into the wikipedia article, and was like.. Wow...
So md5 is very vulnerable or what? Working and can't read the entire thing.
What is the best method of password encyption?
So md5 is very vulnerable or what? Working and can't read the entire thing.
What is the best method of password encyption?
not if you md5 ( $username . $pass ) or email, keyword from site config, no1 ever hacks database servers. you can get md5 pass from some1s cookie. theres more chance of a sql injection happening then some1 downloading your db
What they mean by insecure is that it's possible to create a word with the same hash faster than brute force.
Bearing in mind that there are a finite number of md5 hashes, and an infinite number of things to be hashed, there are guaranteed to be 'collisions'. All these insecurities are are algorithms that do it slightly faster than trying random inputs. But the recent SHA-1 attack took 8 years...
I'd still rather use SHA-256 or similar though, as it's less common, less people are working on collisions for it.
swordz
Bearing in mind that there are a finite number of md5 hashes, and an infinite number of things to be hashed, there are guaranteed to be 'collisions'. All these insecurities are are algorithms that do it slightly faster than trying random inputs. But the recent SHA-1 attack took 8 years...
I'd still rather use SHA-256 or similar though, as it's less common, less people are working on collisions for it.
swordz
if you have you pass hashed in your cookie with base64_encode(). with the loging you will just be able to put in the md5hash anyway. or most of the time. the form will be
will look up the pass with a dbquery instead of..
if( $pass != md5($formpass) ) {
will look up the pass with a dbquery instead of..
if( $pass != md5($formpass) ) {
If you have been using CMS, you'll realize most of the CMS require a 'secret key' in your config file, which will be ultilized in your encryption. that way for someone to get your password, they not only require to guess your password string, but work out the secret key stored in your file.
most huh. they all nicked cyphering cookie data -> base64. from paganNuke
As mention before, MD5 is on-way, but does have a collision security issue. To make it much harder for a hacker to get your password, you add a salt to it. As below...
When I was writing a application for a someone, and needed for data to be secure. I developed custom algorithms using base64_encode, SHA and MD. Probably it is the best way to write it yourself, so no one could guess the process.
CODE
$salt = 'something here';
$hash = md5 ($pass . $salt);
$hash = md5 ($pass . $salt);
When I was writing a application for a someone, and needed for data to be secure. I developed custom algorithms using base64_encode, SHA and MD. Probably it is the best way to write it yourself, so no one could guess the process.
Thanks for the information.
So, basically... Adding two random salts like "dn382neda229"(salt1) and "riei3838fbdfdzzz8"(salt2) and doing
would make it almost impossible to figure out?
So, basically... Adding two random salts like "dn382neda229"(salt1) and "riei3838fbdfdzzz8"(salt2) and doing
CODE
$hash = md5($salt1 . $password . $salt2);
would make it almost impossible to figure out?
It would certainly make it difficult as hell!
I would suggest storing the salts somewhere though if you want to ever use that password
FOr instance store the salt:hash int a mysql column and then use explode(":",$md5); to explode the hash and salt into an array and then you can verify the submitted password w/ the md5 salted hash in the db.
If someone would find it useful i can post up my script im using that does a more complicated version of what i explained above.
I would suggest storing the salts somewhere though if you want to ever use that password
FOr instance store the salt:hash int a mysql column and then use explode(":",$md5); to explode the hash and salt into an array and then you can verify the submitted password w/ the md5 salted hash in the db.
If someone would find it useful i can post up my script im using that does a more complicated version of what i explained above.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.