Jump to content

Can this be cracked uber easy?

Zephni

By Zephni
in PHP Coding Help

Recommended Posts

Zephni Member

Zephni

Posted
Posted

I may get flamed for this but would just like to see how easy someone would find it to crack this hashed string.

I don't mind someone saying the actual answer because its not a password or anything.

 

The method is sha1 (This is not recommended any more apperently)

 

The salt is 970631345a48485769c14d2e40a51706

 

The hashed string is 212405ffb01342e5eaefe2243fc14084082c2182

 

You don't need to recommend me to use PHPass, just testing

Link to comment
https://forums.phpfreaks.com/topic/266328-can-this-be-cracked-uber-easy/
Share on other sites
peipst9lker Newbie

peipst9lker

Posted
Posted

With a good graphics card it is possible in a few hours or days.

Salted SHA1 is already 1 step into the more secure hashing methods.

Always use a salt, this prevents crackers from using rainbow tables.

You should add rounds to the sha1 encryption so that brute forcing takes significant more time.

 

crypt($input, '$5$rounds=5000$SALTHERE$');

 

Note that 5000 rounds is not that much you can change the value up to 999,999

scootstah Member

scootstah

Posted
Posted
  Quote

Thanks for your reply :) So its really  a case of, yes it can be cracked, but make it as slow as possible

 

It's a matter of slow AND using a good algorithm. MD5 and SHA1 were never meant to be used for password security. They are used for utilities, like checksums. They are very fast and don't have a lot of entropy. It is relatively easy to brute force or find collisions.

 

So, what you need is something that is meant for storing passwords, and that is bcrypt. If you don't want to use bcrypt, you can also be pretty safe using PBKDF2 with SHA512, and 10k iterations or so.

KevinM1 Advanced Member

KevinM1

Posted
Posted
  Quote

  Quote

Thanks for your reply :) So its really  a case of, yes it can be cracked, but make it as slow as possible

 

It's a matter of slow AND using a good algorithm. MD5 and SHA1 were never meant to be used for password security. They are used for utilities, like checksums. They are very fast and don't have a lot of entropy. It is relatively easy to brute force or find collisions.

 

So, what you need is something that is meant for storing passwords, and that is bcrypt. If you don't want to use bcrypt, you can also be pretty safe using PBKDF2 with SHA512, and 10k iterations or so.

 

An easy way to do that is to use phpass: http://www.openwall.com/phpass/

 

And a tutorial (ignore any use of the 'global' keyword in the examples, and instead pass your parameters through the argument list): http://www.openwall.com/articles/PHP-Users-Passwords

scootstah Member

scootstah

Posted
Posted
  Quote

  Quote

  Quote

Thanks for your reply :) So its really  a case of, yes it can be cracked, but make it as slow as possible

 

It's a matter of slow AND using a good algorithm. MD5 and SHA1 were never meant to be used for password security. They are used for utilities, like checksums. They are very fast and don't have a lot of entropy. It is relatively easy to brute force or find collisions.

 

So, what you need is something that is meant for storing passwords, and that is bcrypt. If you don't want to use bcrypt, you can also be pretty safe using PBKDF2 with SHA512, and 10k iterations or so.

 

An easy way to do that is to use phpass: http://www.openwall.com/phpass/

 

And a tutorial (ignore any use of the 'global' keyword in the examples, and instead pass your parameters through the argument list): http://www.openwall.com/articles/PHP-Users-Passwords

 

Another option is phpseclib. It supports bcrypt and PBKDF2, and has a whole bunch of other useful utilities. Probably not as lightweight as PHPass, though.

xyph Advanced Member

xyph

Posted
Posted
  Quote

  Quote

  Quote

Thanks for your reply :) So its really  a case of, yes it can be cracked, but make it as slow as possible

 

It's a matter of slow AND using a good algorithm. MD5 and SHA1 were never meant to be used for password security. They are used for utilities, like checksums. They are very fast and don't have a lot of entropy. It is relatively easy to brute force or find collisions.

 

So, what you need is something that is meant for storing passwords, and that is bcrypt. If you don't want to use bcrypt, you can also be pretty safe using PBKDF2 with SHA512, and 10k iterations or so.

 

An easy way to do that is to use phpass: http://www.openwall.com/phpass/

 

And a tutorial (ignore any use of the 'global' keyword in the examples, and instead pass your parameters through the argument list): http://www.openwall.com/articles/PHP-Users-Passwords

 

YOU DID IT!!! HE TOLD YOU NOT TO BUT YOU DID IT!!! HOW COULD YOU!?!

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.