manix Posted August 2, 2011 Share Posted August 2, 2011 Hey, Does it make it harder for someone to bruteforce a string which is hashed multiple times? For an example I have the string 'John' and I do md5(md5($john)) would that be the same as md5($john) Or maybe if I do md5(sha1(md5($john))) ? And also is it able to tell the hashing, which would make this whole post pointless ? Quote Link to comment https://forums.phpfreaks.com/topic/243575-hashing/ Share on other sites More sharing options...
freelance84 Posted August 2, 2011 Share Posted August 2, 2011 Hashing the password prevents someone from from seeing the password if they managed to access the database. I dont think it is possible to completely stop a brute force attempt, but you can slow them down with a CAPTCHA: 1 The user starts a session when 1st accessing the homepage. 2 Count the number of log in attempts into a session variable or cookie 3 When the count reaches a certain value, tell the user they must now complete a CATPCHA to continue... or anything similar. Quote Link to comment https://forums.phpfreaks.com/topic/243575-hashing/#findComment-1250602 Share on other sites More sharing options...
Nodral Posted August 2, 2011 Share Posted August 2, 2011 I'd agree with this, however I tend to give them 3 attempts then they must close the browser (ie reset the session variable) and start over. Quote Link to comment https://forums.phpfreaks.com/topic/243575-hashing/#findComment-1250603 Share on other sites More sharing options...
manix Posted August 2, 2011 Author Share Posted August 2, 2011 Nah I have a cookie containing a hashed username (if the user chose to stay logged in forever) but if a user can tell what hashing I used and then hash the admin username the same way I hashed the cookie will be able to log in with the admin account example: database username: philip cookie's value: sha1(md5(sha1($username))) then check if (sha1(md5(sha1($databaseusername)))==$_COOKIE['username']){add user panel etc etc} my point is that a user can see the cookie's value and bruteforce it without using the website at all if they can tell the hashing Quote Link to comment https://forums.phpfreaks.com/topic/243575-hashing/#findComment-1250605 Share on other sites More sharing options...
Muddy_Funster Posted August 2, 2011 Share Posted August 2, 2011 if your worried about the strenth of your hash, use a stronger encription. Also, I tend to use a substing lookup on any hashes I use, you could use that to mask what type of algerithem you have used by only selecting certain parts of the hashed string for storage and comparison. Quote Link to comment https://forums.phpfreaks.com/topic/243575-hashing/#findComment-1250608 Share on other sites More sharing options...
manix Posted August 2, 2011 Author Share Posted August 2, 2011 erm.. Okay. I just want to know is this: md5(sha1(md5($str))) stronger than this md5($str) Quote Link to comment https://forums.phpfreaks.com/topic/243575-hashing/#findComment-1250611 Share on other sites More sharing options...
Muddy_Funster Posted August 2, 2011 Share Posted August 2, 2011 yes, but it's over complicating things. check out the cryp() function if you want to apply something stronger. Quote Link to comment https://forums.phpfreaks.com/topic/243575-hashing/#findComment-1250614 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.