So, how secure is md5?

[rychan]

But is it?

Can I expect muchos crackerage if i only use md5 encryption for
passwords and is there another / better way?

Lets assume that I make sure people have to have a word/number combo
password.

I gotta keep this data safe from being tampered with :)



----------------------------------------
The post originated from PHP Freaks:
----------------------------------------
[url]http://www.phpfreaks.com[/url]
[url]http://www.phpfreaks.com/forums[/url]

[Matt Foster]

If the passwords are complex then I consider md5 to be safe. At any rate,
there should be enough security in place to stop the md5 hash being exposed
:)

[rychan]

Cool Cool Cool now I can sleep safely again at nights ohhh
yeah!!
Not really ;)



----------------------------------------
The post originated from PHP Freaks:
----------------------------------------
[url]http://www.phpfreaks.com[/url]
[url]http://www.phpfreaks.com/forums[/url]

[Matt Foster]

Remember username-password encrypted pairs too, there's nothing to stop you
fiddling with a password string pre-md5.


"rychan" <ryanc40@hotmail-dot-com.no-spam.invalid> wrote in message
news:6oydnf2sbZXLEOPdRVn_vQ@giganews.com...

> Cool Cool Cool now I can sleep safely again at nights ohhh
> yeah!!
> Not really ;)
>
>
>
> ----------------------------------------
> The post originated from PHP Freaks:
> ----------------------------------------
> [url]http://www.phpfreaks.com[/url]
> [url]http://www.phpfreaks.com/forums[/url]
>
>

[Colin McKinnon]

rychan spilled the following:

> But is it?
>
> Can I expect muchos crackerage if i only use md5 encryption for
> passwords and is there another / better way?
>
> Lets assume that I make sure people have to have a word/number combo
> password.
>
> I gotta keep this data safe from being tampered with :)

Don't tell me you haven't discovered Google yet. Its amazing just type in a
few keywords about the thing you want to know....and hey presto! Lots of
links. To save you the effort....

[url]http://www.google.com/search?hl=en&ie=UTF-8&oe=UTF-8&q=crypto+algorithm+strength+md5&btnG=Google+Sear ch[/url]

But seriously, md5 is secure - but the strength of the encryption algorithm
is not nearly as relevant as how you implement it:

1) don't allow dictionary words for passwords - better still assign random
passwords (but beware that if people have to remember complex passwords,
they will start writing them down, and often people will share passwords
instead of going through proper channels).

2) try to limit the rate / number of attempts at logging in for a specific
user

3) if possible don't allow you PHP application direct access to the password
database nor the unencrypted password e.g. keep a database of username, the
corresponding password hashed with some random challenge, the challenge
used to hash the password initially.

php - ask auth manager for the 'salt' or additional crypto challenge - $ch1
- send this to browser, the auth manager should take some action to limit
- access to the record e.g. marking it as locked against initial read
- access for 30 seconds
browser - encrypted=md5(md5($password + $ch1) + $SID)
- send back 'encrypted'
php - ask auth manager to verify encrypted against parameters
- username
- SID
- note that you cannot supply the challenge back to the auth
- manager otherwise brute force searching would work.

HTH

C.

[Kevin Torr]

"rychan" <ryanc40@hotmail-dot-com.no-spam.invalid> wrote in message
news:xfydnRe8W8Kj7OPdRVn_vQ@giganews.com...

> But is it?
>
> Can I expect muchos crackerage if i only use md5 encryption for
> passwords and is there another / better way?
>
> Lets assume that I make sure people have to have a word/number combo
> password.
>
> I gotta keep this data safe from being tampered with :)

As I understand it, MD5 is relatively 1-way.
It's not so much an encryption per se, it's a hash. In a sense it's similar
to a CRC. You can get a CRC from a file, but you can never get a file from a
CRC.
It's the same thing with MD5.

I actually have a very thick and heavy book on encryption that covers MD5 -
I just haven't had the time not patience to sit down and read how it all
works exactly.

[kongshoj]

MD5 have been around for some years now and many people have tryed to
attack it. There have been some vulnerabilities found but some
internal steps have prevented it from being broken. So will say it is
still secure, the time have proven it.

Have a few books of the subject and some of then suggest not to use
it.

Another one-way hash function that is used today is SHA-1 developed by
NSA. This one is the standard now in the US. This one is new and
there is no know attact against it, maybe because it is new. It
generate a 160 bit message digest where MD5 (only) have 128 bit.

The SHA family also have SHA-256, SHA-384 and SHA-512, where the
number is the size of the message digest. That ofcause makes them a
bit slower, than MD5 and SHA-1. As far as i know only SHA-1 is
implementet in PHP.

But be sure if there is ever a real problem with MD5 you will be sure
to hear it because it is used alot.





----------------------------------------
The post originated from PHP Freaks:
----------------------------------------
[url]http://www.phpfreaks.com[/url]
[url]http://www.phpfreaks.com/forums[/url]

[shazzy]

Anybody have any thought about using mysql's password function?
Is this more or less secure than md5?

Thanks in advance for any replies,
- Shazzy




----------------------------------------
The post originated from PHP Freaks:
----------------------------------------
[url]http://www.phpfreaks.com[/url]
[url]http://www.phpfreaks.com/forums[/url]

[®ed Eye Media - Richard Grove]

> Anybody have any thought about using mysql's password function?

> Is this more or less secure than md5?
>
> Thanks in advance for any replies,
> - Shazzy
>

Less characters in mysql's password so password is less secure.
Although both are good enough in my humble opinion
RG

[Joey]

md5 is no longer recommended - try md5decryption.com