md6, decryptable?

[ignace]

Md5 is decryptable, sha-1 is decryptable, I am really worrying now about how safe my data is? And because I'm not an expert of any kind, am I asking you guys how safe the following function really is? I called it md6 because it is based upon the md5 encryption.

[code]
function md6($Input, $Extract) {
   $sReturn = md5($Input);
   return substr($sReturn, 0, strlen($sReturn) - $Extract);
}
[/code]

Ofcourse $Extract will need to remain the same all the time, so whenever a user logs in or register's a certain number of characters is being extracted from the total length of the encrypted (pass)word. And md5 is now only used as an "commission agent". I think this make the encrypted data more secure because a number of characters is missing, making it somehow impossible to correctly decrypt it.. (I never say never ofcourse)

P.S.: My native language is dutch, and when I translated the word is was looking for by altavista I got commision agent.. wrong choice of words, I know, but I found it quiet amusing and even funny..

[beamerrox]

sha1(md5($data));

[wildteen88]

md5/sha1 uses one way encryption meaning it cannot be decrypted, however it can with brute force and cannot be done easily. Dont use md5 on its own. Use it with salt. If you add salt to your passwords it can become even harder for a hacker to brute force the password.

[ignace]

Meaning I should not use the above mentioned function? Now then on to the next question how do I add salt? (Just get it in the kitchen?, probably not..) or do you mean, something like md5($word) . md5(uniqid(rand(), true));

[wildteen88]

Yeah, thats about right. [url=http://phpsec.org/articles/2005/password-hashing.html]this article[/url] explains/teahces how beef up password hashing

[ignace]

thank you, another great site, to put in my php website collection.. (in other words I'm putting it in my favorites)

[phporcaffeine]

Firstly, encrypt / decrypt implies "Encryption".  By definition, encryption is, "obscurity created by method".  Meaning that which is encrypted was done so by a particular method, in our case "salt" or "key".  This also lends to reason that it can be reversed or, "decrypted".

md5 is a hash mechinisim, meaning that there isn't a "salt" or "key" to generate the obscurity.  A hash is a system where a fixed object is believed to consistantly produce a like object on another plane or dimension.

So if I say

md5 ("test");

and it produces 828rgr435t9br54452

so long as I remembered that "test" = 828rgr435t9br54452 as an md5 hash then it wouldn't be secure, the idea though is that hashes are so long with no recognizable patteren that humans cannot or at least find it very difficult to commit to memory in a moments glance (which is all most hackers have).

It's not to the novice to know that 828rgr435t9br54452 is an md5 hash just by looking at it either; to see a hash string at it's value and know what generated it is another story altogether.