justlukeyou Posted June 8, 2012 Share Posted June 8, 2012 A number of sites, most notably LinkedIn, have had a large number of their passwords released by hackers. I am close to complete my first membership based site which is currently based on MD5. Its reported that a hacking group has now hacked MD5 at will. SHA-2 is currently the strongest password encryption. Is this the best format to use, I dont even know if it can be used with PHP/MySQL but MD5 sounds very weak now. What password protection to you use? http://www.zdnet.com/blog/security/md5-password-scrambler-no-longer-safe/12317 It does beg the question why a site the size of LinkedIn was using MD5 and not a more secure encryption. Quote Link to comment https://forums.phpfreaks.com/topic/263853-seriously-time-for-sha-2-currently-using-md5/ Share on other sites More sharing options...
Drongo_III Posted June 8, 2012 Share Posted June 8, 2012 Just using straight MD5 to hash your passwords would never be very secure. You should really use MD5, Sha1 and salt the password before you store it. That's generally the preferred route. Google Salting password in php on google and it'll return loads of guides. Drongo A number of sites, most notably LinkedIn, have had a large number of their passwords released by hackers. I am close to complete my first membership based site which is currently based on MD5. Its reported that a hacking group has now hacked MD5 at will. SHA-2 is currently the strongest password encryption. Is this the best format to use, I dont even know if it can be used with PHP/MySQL but MD5 sounds very weak now. What password protection to you use? http://www.zdnet.com/blog/security/md5-password-scrambler-no-longer-safe/12317 It does beg the question why a site the size of LinkedIn was using MD5 and not a more secure encryption. Quote Link to comment https://forums.phpfreaks.com/topic/263853-seriously-time-for-sha-2-currently-using-md5/#findComment-1352118 Share on other sites More sharing options...
PFMaBiSmAd Posted June 8, 2012 Share Posted June 8, 2012 A number of sites, most notably LinkedIn, have had a large number of their passwords released by hackers. The sites you have heard about where masses of passwords have been gotten and released, were the result of either storing the passwords as plain text, encrypting the password and someone gained sufficient access to the code to get the encryption key, or more simply they added code at the point where the raw passwords where being processed and they simply scraped/logged the actual passwords as they were being processed. Quote Link to comment https://forums.phpfreaks.com/topic/263853-seriously-time-for-sha-2-currently-using-md5/#findComment-1352145 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.