Today's Posts Follow Us On Twitter! TFL Members on Twitter  
Forum search: Advanced Search  
Navigation
Marketplace
  Members Login:
Lost password?
  Forum Statistics:
Forum Members: 24,254
Total Threads: 80,792
Total Posts: 566,471
There are 1090 users currently browsing (tf).
 
  Our Partners:
 
  TalkFreelance     Design and Development     Programming     PHP and MySQL :

Password encryption?

Thread title: Password encryption?
Closed Thread  
Page 2 of 4 < 1 2 3 4 >
    Thread tools Search this thread Display Modes  
02-16-2007, 04:46 AM
#11
Amross is offline Amross
Status: Member
Join date: Jan 2007
Location:
Expertise:
Software:
 
Posts: 311
iTrader: 4 / 100%
 

Amross is on a distinguished road

  Old

Hashing a hash has numerous negative effects actually. A simple md5($salt.$password) [or a different hash if you prefer] would be more than sufficient in most cases. What is the point on going so overboard if you aren't something that would justify that, such as a bank? There are tons of real world examples that you would never be so extensive over something so simple, why is hashing any different?

Of course if security really is that big of a concern, then you should be skipping all that hash of a hash mumbo jumbo anyways and go right to something like a SHA-512 algorithm.

02-16-2007, 05:02 AM
#12
Zara is offline Zara
Status: Member
Join date: Apr 2006
Location:
Expertise:
Software:
 
Posts: 249
iTrader: 9 / 100%
 

Zara is on a distinguished road

  Old

Originally Posted by Amross View Post
Hashing a hash has numerous negative effects actually. A simple md5($salt.$password) [or a different hash if you prefer] would be more than sufficient in most cases. What is the point on going so overboard if you aren't something that would justify that, such as a bank? There are tons of real world examples that you would never be so extensive over something so simple, why is hashing any different?
Honestly, the extra security in a matter of 10 or so keystrokes is well worth it in my opinion. md5($salt.$password) may not be sufficient because encryptions are used to protect passwords even if the database is hacked... Therefore, if someone takes an MD5 hash to an MD5 hash library and finds a password 1171601767barneylove or what ever... Odds are they will be able to find out that 1171601767 is the users registration date as a unix timestamp which means barneylove would be the password.

And with any system I write and most php developers, we make a single class to handle all of the user functions. We'd write those extra 10 characters maybe 2 times max... Once for the user login function and once for the user registration function.

You are saying it has numerous negative effects, please do inform me. I have not heard of any, and the fact that nearly every php programmer I know uses the same methods as I do makes me very curious.

02-16-2007, 05:05 AM
#13
Andrew R is offline Andrew R
Status: Request a custom title
Join date: Dec 2005
Location: Arizona
Expertise:
Software:
 
Posts: 5,200
iTrader: 17 / 95%
 

Andrew R is on a distinguished road

  Old

I just use md5(). It's the users fault if they use a dictionary word or something (even though, technically, it would be the site owners fault for someone getting in to the database in the first place).

02-16-2007, 05:09 AM
#14
Amross is offline Amross
Status: Member
Join date: Jan 2007
Location:
Expertise:
Software:
 
Posts: 311
iTrader: 4 / 100%
 

Amross is on a distinguished road

  Old

If you had a completely random salt, the hashes from the database even if they were obtained would not be found in a hash library anyways, so your reasoning isn't exactly justified, simply overblown for the purpose.

And again, if security is that big of a concern, you should not be using md5 or sha1 in the first place no matter how many times over you hash it.

02-16-2007, 05:12 AM
#15
Zara is offline Zara
Status: Member
Join date: Apr 2006
Location:
Expertise:
Software:
 
Posts: 249
iTrader: 9 / 100%
 

Zara is on a distinguished road

  Old

Originally Posted by Andrew R View Post
I just use md5(). It's the users fault if they use a dictionary word or something (even though, technically, it would be the site owners fault for someone getting in to the database in the first place).
Actually, I know many library's that contain more than just dictionary words. There are many hackers now that even have they're own private database on their computers that just make a php script to randomly generate literally a few hundred thousand strings and enter them into their database along side of the hash. I have also been told there are a few AIM Bots that search a few different libraries and return results from each, this is probably why I'm so paranoid about it as well though. All in all, I'd rather be safe than sorry... Especially over a matter of about 20 characters total.

Anyway, it's late so I'm off to bed. Peace.

02-16-2007, 05:52 AM
#16
echoSwe is offline echoSwe
Status: Member
Join date: Jul 2005
Location:
Expertise:
Software:
 
Posts: 185
iTrader: 0 / 0%
 

echoSwe is on a distinguished road

  Old

Originally Posted by noodles View Post
hm everyone here says, you shouldn't use md5... but why? isn't it secure?
As many above said, you can simply use a rainbow table to find the corresponding password to that specific hash.

MD5 is also such a quick algorithm that it borders on when you really have to use rainbow tables and when you can use a brute-force attack.
http://eprint.iacr.org/2006/105

However, as Phaaze said. You could use key strengthening.

I can't understand why you guys still argue about MD5. I don't usually deal with PHP; but just a quick search gave me this code snippet:
PHP Code:
$phrase "Hello World";

$sha1a =  base64_encode(sha1($phrase));
$sha1b =  base64_encode(bin2hex(mhash(MHASH_SHA1,$phrase)));
$sha256bbase64_encode(bin2hex(mhash(MHASH_SHA256,$phrase)));

echo (
"SHA1..:" $sha1a "\n");
echo (
"SHA1..:" $sha1b "\n");
echo (
"SHA256:" $sha256b "\n"); 
So I mean, what's so troublesome about that, that you can't use it? It's just a line of code and then you got your SHA-2 hash ready to go! Add a known salt to that, for example a large random number that you store in the column next to the password column and concatenate to the password before hashing it all. Then brute-force attacks can only be done on one password at a time, because all passwords use a different salt. This is what makes the time required to find the password increase so much that it becomes impractical to try, just using the hardware of today.

Although I'm wondering what quantum computing will turn out like and what it will do to the area of computer security.

Lastly, hashing != encryption, because it's irreversible. Encryption is stuff like blowfish and RSA.

02-16-2007, 05:53 AM
#17
Impluo is offline Impluo
Status: We're all mad here
Join date: Aug 2005
Location: Missouri
Expertise: programming
Software: Notepad
 
Posts: 1,606
iTrader: 0 / 0%
 

Impluo is on a distinguished road

  Old

Thanks for the information. I like keeping information secure

I've been to plenty of sites in the past that will store my password in plain text...I hate that

02-16-2007, 06:06 AM
#18
Zara is offline Zara
Status: Member
Join date: Apr 2006
Location:
Expertise:
Software:
 
Posts: 249
iTrader: 9 / 100%
 

Zara is on a distinguished road

  Old

Originally Posted by Impluo View Post
Thanks for the information. I like keeping information secure

I've been to plenty of sites in the past that will store my password in plain text...I hate that
Yea, one of which being Bidvertiser! I don't like anyone knowing my common passwords, especially when my name and email is linked to it. I don't care if it's the CEO of Bidvertiser or what so I keep that password completely different than any of my normal array of passwords..

You may wonder how I know they store the passwords in plain text, or at least a reversible encryption... Just do a "forgot password" request... Instead of sending you a new randomly generated password they send you your current password.

02-16-2007, 06:13 AM
#19
echoSwe is offline echoSwe
Status: Member
Join date: Jul 2005
Location:
Expertise:
Software:
 
Posts: 185
iTrader: 0 / 0%
 

echoSwe is on a distinguished road

  Old

Originally Posted by Impluo View Post
Thanks for the information. I like keeping information secure

I've been to plenty of sites in the past that will store my password in plain text...I hate that
No probs m8 . Yeah. Sometimes really big firms do as well. For example, my ISP sent out their customers' passwords in advertising leaflets. Obviously, there was a Swedish outrage (which equals 1 minute on the news, lol).

That's what you can get when you combine the sales-guy with technical ignorance. Always blame the sales guy ^^.

02-16-2007, 06:13 AM
#20
Impluo is offline Impluo
Status: We're all mad here
Join date: Aug 2005
Location: Missouri
Expertise: programming
Software: Notepad
 
Posts: 1,606
iTrader: 0 / 0%
 

Impluo is on a distinguished road

  Old

Originally Posted by Phaaze View Post
You may wonder how I know they store the passwords in plain text, or at least a reversible encryption... Just do a "forgot password" request... Instead of sending you a new randomly generated password they send you your current password.
Yea that is the same test I use on sites once I register just to make sure they aren't going to email me the password I registered with

Closed Thread  
Page 2 of 4 < 1 2 3 4 >


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes

  Posting Rules  
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump:
 
  Contains New Posts Forum Contains New Posts   Contains No New Posts Forum Contains No New Posts   A Closed Forum Forum is Closed