Jump to content

Seriously Time For SHA-2? (Currently Using MD5)

justlukeyou

By justlukeyou
in PHP Coding Help

 Share

Recommended Posts

justlukeyou Advanced Member

justlukeyou

Posted
Posted

A number of sites, most notably LinkedIn, have had a large number of their passwords released by hackers.  I am close to complete my first membership based site which is currently based on MD5.

 

Its reported that a hacking group has now hacked MD5 at will.  SHA-2 is currently the strongest password encryption.  Is this the best format to use, I dont even know if it can be used with PHP/MySQL but MD5 sounds very weak now.

 

What password protection to you use?

 

http://www.zdnet.com/blog/security/md5-password-scrambler-no-longer-safe/12317

 

It does beg the question why a site the size of LinkedIn was using MD5 and not a more secure encryption.

 

 

Link to comment
Share on other sites
Drongo_III Advanced Member

Drongo_III

Posted
Posted

Just using straight MD5 to hash your passwords would never be very secure.

 

You should really use MD5, Sha1 and salt the password before you store it. That's generally the preferred route.

 

Google Salting password in php on google and it'll return loads of guides.

 

Drongo

 

 

A number of sites, most notably LinkedIn, have had a large number of their passwords released by hackers.  I am close to complete my first membership based site which is currently based on MD5.

 

Its reported that a hacking group has now hacked MD5 at will.  SHA-2 is currently the strongest password encryption.  Is this the best format to use, I dont even know if it can be used with PHP/MySQL but MD5 sounds very weak now.

 

What password protection to you use?

 

http://www.zdnet.com/blog/security/md5-password-scrambler-no-longer-safe/12317

 

It does beg the question why a site the size of LinkedIn was using MD5 and not a more secure encryption.

Link to comment
Share on other sites
PFMaBiSmAd Advanced Member

PFMaBiSmAd

Posted
Posted

A number of sites, most notably LinkedIn, have had a large number of their passwords released by hackers.

 

The sites you have heard about where masses of passwords have been gotten and released, were the result of either storing the passwords as plain text, encrypting the password and someone gained sufficient access to the code to get the encryption key, or more simply they added code at the point where the raw passwords where being processed and they simply scraped/logged the actual passwords as they were being processed.

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.