cluce Posted May 14, 2007 Share Posted May 14, 2007 what is more secure( password or SHA-1) function??? or both of these will do a good job if protecting the password? I know one just disguises the password with a fingerprint which is not encrypted and the SHA-1 is encrypted. Any opinions would be great? Quote Link to comment https://forums.phpfreaks.com/topic/51387-solved-what-is-more-secure-password-or-sha-1-function/ Share on other sites More sharing options...
corbin Posted May 14, 2007 Share Posted May 14, 2007 I have no idea what the password method does or is, but the SHA-1 encryption has been reversed if I remember right. I would go with md5.... md5 can be dictionary attacked, but it takes a long time, or a word list, which most aren't public access. If you're really paranoid, I would suggest using md5 and salting..... example: md5("mypassword123" . "2930jl;dlakjdfrandomstufftomakemd5weird"); Quote Link to comment https://forums.phpfreaks.com/topic/51387-solved-what-is-more-secure-password-or-sha-1-function/#findComment-253038 Share on other sites More sharing options...
cluce Posted May 14, 2007 Author Share Posted May 14, 2007 I meant the mySQL password function.. Quote Link to comment https://forums.phpfreaks.com/topic/51387-solved-what-is-more-secure-password-or-sha-1-function/#findComment-253074 Share on other sites More sharing options...
Dragen Posted May 14, 2007 Share Posted May 14, 2007 I think corbin was still right. md5 is more secure Quote Link to comment https://forums.phpfreaks.com/topic/51387-solved-what-is-more-secure-password-or-sha-1-function/#findComment-253097 Share on other sites More sharing options...
john010117 Posted May 14, 2007 Share Posted May 14, 2007 I believe md5 is the only function that cannot be decrypted (very easily). I use md5 all the time. Quote Link to comment https://forums.phpfreaks.com/topic/51387-solved-what-is-more-secure-password-or-sha-1-function/#findComment-253123 Share on other sites More sharing options...
cmccully Posted May 15, 2007 Share Posted May 15, 2007 Well, I have always liked salt in my food, now I think I like salt in my password code as well. Thanks for the tip Corbin. Quote Link to comment https://forums.phpfreaks.com/topic/51387-solved-what-is-more-secure-password-or-sha-1-function/#findComment-253173 Share on other sites More sharing options...
hitman6003 Posted May 15, 2007 Share Posted May 15, 2007 Why does everyone think MD5 can be reversed / decrypted? Neither MD5 or SHA1 has been "broken". Some Chinese mathematicians have discovered that it is possible to generate a collision for the two HASHING algorithms. They don't encrypt, they hash...encryption is designed to be reversed to get the original string back. A hash attempts to generate a unique identifier for the hashed value. If you want to know more about the collisions, read the wikipedia articles on MD5 and SHA1. Despite the fact that collisions can be generated, it isn't the easiest thing in the world to do. Even if it was, the "hacker" would need to know what the MD5, or SHA1, hash is. That is normally not something you should be just giving out. So, in order for the attacker to get the hash, they would have to already have access to your database...at which point they can just create their own user name and password. Before anyone says anything about the websites that claim to reverse md5, they don't reverse anything...they compare the provided hash to the values stored in a database and hope for a match...the largest, I think, has 40 million records...the possible number of hashes for MD5 is 2^128...which is WAAAAAYYYYYYY more than 40 million. In terms of hash strength, the mysql PASSWORD is 41 bytes long and md5 is 128 bytes long. I don't remember how long SHA1 is (I think 160, but not sure). I encourage you to read more about hashing and make a decision for your self. Neither MD5 or SHA1 has been reversed, however there is a (VERY) remote possibility of a collision being found for both. http://en.wikipedia.org/wiki/Sha1 http://en.wikipedia.org/wiki/Md5 http://dev.mysql.com/doc/refman/5.0/en/password-hashing.html Quote Link to comment https://forums.phpfreaks.com/topic/51387-solved-what-is-more-secure-password-or-sha-1-function/#findComment-253182 Share on other sites More sharing options...
btherl Posted May 15, 2007 Share Posted May 15, 2007 Just to clarify, the "md5 decryption" sites apply to unsalted passwords only. If you use a salt, those sites will be unable to find your original passwords. The hacker will need to use brute force, which is still very slow for md5. The purpose of using md5 (or another hash) is for the case where someone has hacked into your website, and has downloaded your password list. Then you want to make sure they cannot recover the original passwords (or not easily, anyway). Often, people will use the same password for different sites, so knowing your password to one site may give a hacker access to other sites, so this is why you want to keep the password unknown even if a hacker has control of your site. Quote Link to comment https://forums.phpfreaks.com/topic/51387-solved-what-is-more-secure-password-or-sha-1-function/#findComment-253233 Share on other sites More sharing options...
marf Posted May 15, 2007 Share Posted May 15, 2007 I'm not saying it isn't true, but I remember about 4ish years ago when I was playin around with the md5 in PHP4, and my friend said that he found some little program sombody else wrote. He showed me, he inputted my encrypted md5 password, and it yielded the result. Maybe there was a huge glitch in an old version of PHP4 md5 function, but I vividly remember this. I'm assuming that this isn't the case anymore. Quote Link to comment https://forums.phpfreaks.com/topic/51387-solved-what-is-more-secure-password-or-sha-1-function/#findComment-253234 Share on other sites More sharing options...
btherl Posted May 15, 2007 Share Posted May 15, 2007 I suspect your friend's program had a pre-programmed list of passwords and hashes, and it just looked yours up. Was your password something common, like blink182 or trustno1 ? If you picked a password like NtEtG!#1 and the program could find it, THEN I would be worried Quote Link to comment https://forums.phpfreaks.com/topic/51387-solved-what-is-more-secure-password-or-sha-1-function/#findComment-253237 Share on other sites More sharing options...
marf Posted May 15, 2007 Share Posted May 15, 2007 hrm, I do believe it was a word yes. Long time ago, but yes I believe it was a word. That would make sense. Quote Link to comment https://forums.phpfreaks.com/topic/51387-solved-what-is-more-secure-password-or-sha-1-function/#findComment-253248 Share on other sites More sharing options...
cluce Posted May 15, 2007 Author Share Posted May 15, 2007 thanks for all your comments. I really don't need a top level of security just something that secures a website fairly well. Quote Link to comment https://forums.phpfreaks.com/topic/51387-solved-what-is-more-secure-password-or-sha-1-function/#findComment-253639 Share on other sites More sharing options...
MadTechie Posted May 15, 2007 Share Posted May 15, 2007 MD5 is quicker and with salt still pretty secure SHA1 is a little slower but more secure again still add salt MD5: is 128 bit (16 byte) message digest makes it a faster implementation than SHA-1. SHA-1: The Secure Hash Algorithm (SHA) is 160-bit (20 byte) message digest. Although slower than MD5, this larger digest size makes it stronger against brute force attacks. Quote Link to comment https://forums.phpfreaks.com/topic/51387-solved-what-is-more-secure-password-or-sha-1-function/#findComment-253694 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.