Professional Web Applications Themes
  1. #1

    Default So, how secure is md5?

    But is it?

    Can I expect muchos crackerage if i only use md5 encryption for
    passwords and is there another / better way?

    Lets assume that I make sure people have to have a word/number combo
    password.

    I gotta keep this data safe from being tampered with :)



    ----------------------------------------
    The post originated from PHP Freaks:
    ----------------------------------------
    [url]http://www.phpfreaks.com[/url]
    [url]http://www.phpfreaks.com/forums[/url]


    rychan Guest

  2. #2

    Default Re: So, how secure is md5?

    If the passwords are complex then I consider md5 to be safe. At any rate,
    there should be enough security in place to stop the md5 hash being exposed
    :)


    Matt Foster Guest

  3. #3

    Default Re: So, how secure is md5?

    Cool Cool Cool now I can sleep safely again at nights ohhh
    yeah!!
    Not really ;)



    ----------------------------------------
    The post originated from PHP Freaks:
    ----------------------------------------
    [url]http://www.phpfreaks.com[/url]
    [url]http://www.phpfreaks.com/forums[/url]


    rychan Guest

  4. #4

    Default Re: So, how secure is md5?

    Remember username-password encrypted pairs too, there's nothing to stop you
    fiddling with a password string pre-md5.


    "rychan" <ryanc40@hotmail-dot-com.no-spam.invalid> wrote in message
    news:6oydnf2sbZXLEOPdRVn_vQ@giganews.com...
    > Cool Cool Cool now I can sleep safely again at nights ohhh
    > yeah!!
    > Not really ;)
    >
    >
    >
    > ----------------------------------------
    > The post originated from PHP Freaks:
    > ----------------------------------------
    > [url]http://www.phpfreaks.com[/url]
    > [url]http://www.phpfreaks.com/forums[/url]
    >
    >

    Matt Foster Guest

  5. #5

    Default Re: So, how secure is md5?

    rychan spilled the following:
    > But is it?
    >
    > Can I expect muchos crackerage if i only use md5 encryption for
    > passwords and is there another / better way?
    >
    > Lets assume that I make sure people have to have a word/number combo
    > password.
    >
    > I gotta keep this data safe from being tampered with :)
    Don't tell me you haven't discovered Google yet. Its amazing just type in a
    few keywords about the thing you want to know....and hey presto! Lots of
    links. To save you the effort....

    [url]http://www.google.com/search?hl=en&ie=UTF-8&oe=UTF-8&q=crypto+algorithm+strength+md5&btnG=Google+Sear ch[/url]

    But seriously, md5 is secure - but the strength of the encryption algorithm
    is not nearly as relevant as how you implement it:

    1) don't allow dictionary words for passwords - better still assign random
    passwords (but beware that if people have to remember complex passwords,
    they will start writing them down, and often people will share passwords
    instead of going through proper channels).

    2) try to limit the rate / number of attempts at logging in for a specific
    user

    3) if possible don't allow you PHP application direct access to the password
    database nor the unencrypted password e.g. keep a database of username, the
    corresponding password hashed with some random challenge, the challenge
    used to hash the password initially.

    php - ask auth manager for the 'salt' or additional crypto challenge - $ch1
    - send this to browser, the auth manager should take some action to limit
    - access to the record e.g. marking it as locked against initial read
    - access for 30 seconds
    browser - encrypted=md5(md5($password + $ch1) + $SID)
    - send back 'encrypted'
    php - ask auth manager to verify encrypted against parameters
    - username
    - SID
    - note that you cannot supply the challenge back to the auth
    - manager otherwise brute force searching would work.

    HTH

    C.
    Colin McKinnon Guest

  6. #6

    Default Re: So, how secure is md5?

    "rychan" <ryanc40@hotmail-dot-com.no-spam.invalid> wrote in message
    news:xfydnRe8W8Kj7OPdRVn_vQ@giganews.com...
    > But is it?
    >
    > Can I expect muchos crackerage if i only use md5 encryption for
    > passwords and is there another / better way?
    >
    > Lets assume that I make sure people have to have a word/number combo
    > password.
    >
    > I gotta keep this data safe from being tampered with :)
    As I understand it, MD5 is relatively 1-way.
    It's not so much an encryption per se, it's a hash. In a sense it's similar
    to a CRC. You can get a CRC from a file, but you can never get a file from a
    CRC.
    It's the same thing with MD5.

    I actually have a very thick and heavy book on encryption that covers MD5 -
    I just haven't had the time not patience to sit down and read how it all
    works exactly.


    Kevin Torr Guest

  7. #7

    Default Re: So, how secure is md5?

    MD5 have been around for some years now and many people have tryed to
    attack it. There have been some vulnerabilities found but some
    internal steps have prevented it from being broken. So will say it is
    still secure, the time have proven it.

    Have a few books of the subject and some of then suggest not to use
    it.

    Another one-way hash function that is used today is SHA-1 developed by
    NSA. This one is the standard now in the US. This one is new and
    there is no know attact against it, maybe because it is new. It
    generate a 160 bit message digest where MD5 (only) have 128 bit.

    The SHA family also have SHA-256, SHA-384 and SHA-512, where the
    number is the size of the message digest. That ofcause makes them a
    bit slower, than MD5 and SHA-1. As far as i know only SHA-1 is
    implementet in PHP.

    But be sure if there is ever a real problem with MD5 you will be sure
    to hear it because it is used alot.





    ----------------------------------------
    The post originated from PHP Freaks:
    ----------------------------------------
    [url]http://www.phpfreaks.com[/url]
    [url]http://www.phpfreaks.com/forums[/url]


    kongshoj Guest

  8. #8

    Default Re: So, how secure is md5?

    Anybody have any thought about using mysql's password function?
    Is this more or less secure than md5?

    Thanks in advance for any replies,
    - Shazzy




    ----------------------------------------
    The post originated from PHP Freaks:
    ----------------------------------------
    [url]http://www.phpfreaks.com[/url]
    [url]http://www.phpfreaks.com/forums[/url]


    shazzy Guest

  9. #9

    Default Re: So, how secure is md5?

    > Anybody have any thought about using mysql's password function?
    > Is this more or less secure than md5?
    >
    > Thanks in advance for any replies,
    > - Shazzy
    >
    Less characters in mysql's password so password is less secure.
    Although both are good enough in my humble opinion
    RG


    ®ed Eye Media - Richard Grove Guest

  10. #10

    Thumbs down Re: So, how secure is md5?

    md5 is no longer recommended - try md5decryption.com
    Joey Guest

Similar Threads

  1. Secure PDF's merged into 1 doent from 2 different Secure Files, possible?
    By Lee_Borgioli@adobeforums.com in forum Adobe Acrobat Macintosh
    Replies: 3
    Last Post: August 25th, 03:37 PM
  2. secure intranet site with non secure sites?
    By wally in forum Windows Server
    Replies: 0
    Last Post: June 7th, 03:19 PM
  3. Replies: 0
    Last Post: October 30th, 12:07 AM
  4. Replies: 1
    Last Post: October 7th, 04:30 PM
  5. secure form on a non-secure page -> how?
    By BKDotCom in forum PHP Development
    Replies: 2
    Last Post: July 30th, 08:55 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139