MasterACE14 Posted September 16, 2011 Share Posted September 16, 2011 Hi, I could of sworn I have seen someone post in a thread as to why it makes the original hash less secure, but I am having no luck in finding that post. So, why is...(for example) $hash = md5(md5('password+salt')); ...bad? I can see why it's redundant, but I don't understand how it makes the hash less secure? Thanks, Ace Quote Link to comment Share on other sites More sharing options...
premiso Posted September 16, 2011 Share Posted September 16, 2011 The main thing is it makes the hash larger and increases the chances of collisions. Instead of doing double md5's I would do the inner md5 and the outside sha1. But a good unique salt would do better than doing an inner md5 hash. But yea, that is the main reason why it would be considered bad practice. What is a collision? Basically it increases the chances that user X's hash is the same as user's Y's which can be a security breach if someone by chance figures out an exploit or accidentally gets authenticated as that user. Edit: Along side of that, it would also increase the chance that a brute force attack would be successful, as with the collisions, it could mean that they could do less attacks and perhaps get "lucky". Quote Link to comment Share on other sites More sharing options...
MasterACE14 Posted September 16, 2011 Author Share Posted September 16, 2011 very informative, thank you kindly. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.