Jump to content

Can this be cracked uber easy?

Zephni

By Zephni
in PHP Coding Help

 Share

Recommended Posts

Zephni Member

Zephni

Posted
Posted

I may get flamed for this but would just like to see how easy someone would find it to crack this hashed string.

I don't mind someone saying the actual answer because its not a password or anything.

 

The method is sha1 (This is not recommended any more apperently)

 

The salt is 970631345a48485769c14d2e40a51706

 

The hashed string is 212405ffb01342e5eaefe2243fc14084082c2182

 

You don't need to recommend me to use PHPass, just testing

Link to comment
Share on other sites
peipst9lker Newbie

peipst9lker

Posted
Posted

With a good graphics card it is possible in a few hours or days.

Salted SHA1 is already 1 step into the more secure hashing methods.

Always use a salt, this prevents crackers from using rainbow tables.

You should add rounds to the sha1 encryption so that brute forcing takes significant more time.

 

crypt($input, '$5$rounds=5000$SALTHERE$');

 

Note that 5000 rounds is not that much you can change the value up to 999,999

Link to comment
Share on other sites
scootstah Member

scootstah

Posted
Posted

Thanks for your reply :) So its really  a case of, yes it can be cracked, but make it as slow as possible

 

It's a matter of slow AND using a good algorithm. MD5 and SHA1 were never meant to be used for password security. They are used for utilities, like checksums. They are very fast and don't have a lot of entropy. It is relatively easy to brute force or find collisions.

 

So, what you need is something that is meant for storing passwords, and that is bcrypt. If you don't want to use bcrypt, you can also be pretty safe using PBKDF2 with SHA512, and 10k iterations or so.

Link to comment
Share on other sites
KevinM1 Advanced Member

KevinM1

Posted
Posted

Thanks for your reply :) So its really  a case of, yes it can be cracked, but make it as slow as possible

 

It's a matter of slow AND using a good algorithm. MD5 and SHA1 were never meant to be used for password security. They are used for utilities, like checksums. They are very fast and don't have a lot of entropy. It is relatively easy to brute force or find collisions.

 

So, what you need is something that is meant for storing passwords, and that is bcrypt. If you don't want to use bcrypt, you can also be pretty safe using PBKDF2 with SHA512, and 10k iterations or so.

 

An easy way to do that is to use phpass: http://www.openwall.com/phpass/

 

And a tutorial (ignore any use of the 'global' keyword in the examples, and instead pass your parameters through the argument list): http://www.openwall.com/articles/PHP-Users-Passwords

Link to comment
Share on other sites
scootstah Member

scootstah

Posted
Posted

Thanks for your reply :) So its really  a case of, yes it can be cracked, but make it as slow as possible

 

It's a matter of slow AND using a good algorithm. MD5 and SHA1 were never meant to be used for password security. They are used for utilities, like checksums. They are very fast and don't have a lot of entropy. It is relatively easy to brute force or find collisions.

 

So, what you need is something that is meant for storing passwords, and that is bcrypt. If you don't want to use bcrypt, you can also be pretty safe using PBKDF2 with SHA512, and 10k iterations or so.

 

An easy way to do that is to use phpass: http://www.openwall.com/phpass/

 

And a tutorial (ignore any use of the 'global' keyword in the examples, and instead pass your parameters through the argument list): http://www.openwall.com/articles/PHP-Users-Passwords

 

Another option is phpseclib. It supports bcrypt and PBKDF2, and has a whole bunch of other useful utilities. Probably not as lightweight as PHPass, though.

Link to comment
Share on other sites
xyph Advanced Member

xyph

Posted
Posted

Thanks for your reply :) So its really  a case of, yes it can be cracked, but make it as slow as possible

 

It's a matter of slow AND using a good algorithm. MD5 and SHA1 were never meant to be used for password security. They are used for utilities, like checksums. They are very fast and don't have a lot of entropy. It is relatively easy to brute force or find collisions.

 

So, what you need is something that is meant for storing passwords, and that is bcrypt. If you don't want to use bcrypt, you can also be pretty safe using PBKDF2 with SHA512, and 10k iterations or so.

 

An easy way to do that is to use phpass: http://www.openwall.com/phpass/

 

And a tutorial (ignore any use of the 'global' keyword in the examples, and instead pass your parameters through the argument list): http://www.openwall.com/articles/PHP-Users-Passwords

 

YOU DID IT!!! HE TOLD YOU NOT TO BUT YOU DID IT!!! HOW COULD YOU!?!

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.