Jump to content

[SOLVED] what is more secure( password or SHA-1) function???


cluce

Recommended Posts

what is more secure( password or SHA-1) function???  or both of these will do a good job if protecting the password?  I know one just disguises the password with a fingerprint which is not encrypted and the SHA-1 is encrypted.  Any opinions would be great?

Link to comment
Share on other sites

I have no idea what the password method does or is, but the SHA-1 encryption has been reversed if I remember right.  I would go with md5.... md5 can be dictionary attacked, but it takes a long time, or a word list, which most aren't public access.

 

If you're really paranoid, I would suggest using md5 and salting.....

 

example:

 

md5("mypassword123" . "2930jl;dlakjdfrandomstufftomakemd5weird");

Link to comment
Share on other sites

Why does everyone think MD5 can be reversed / decrypted?  Neither MD5 or SHA1 has been "broken".  Some Chinese mathematicians have discovered that it is possible to generate a collision for the two HASHING algorithms.  They don't encrypt, they hash...encryption is designed to be reversed to get the original string back.  A hash attempts to generate a unique identifier for the hashed value.

 

If you want to know more about the collisions, read the wikipedia articles on MD5 and SHA1.  Despite the fact that collisions can be generated, it isn't the easiest thing in the world to do.  Even if it was, the "hacker" would need to know what the MD5, or SHA1, hash is.  That is normally not something you should be just giving out.  So, in order for the attacker to get the hash, they would have to already have access to your database...at which point they can just create their own user name and password.

 

Before anyone says anything about the websites that claim to reverse md5, they don't reverse anything...they compare the provided hash to the values stored in a database and hope for a match...the largest, I think, has 40 million records...the possible number of hashes for MD5 is 2^128...which is WAAAAAYYYYYYY more than 40 million.

 

In terms of hash strength, the mysql PASSWORD is 41 bytes long and md5 is 128 bytes long.  I don't remember how long SHA1 is (I think 160, but not sure).

 

I encourage you to read more about hashing and make a decision for your self.  Neither MD5 or SHA1 has been reversed, however there is a (VERY) remote possibility of a collision being found for both.

 

http://en.wikipedia.org/wiki/Sha1

http://en.wikipedia.org/wiki/Md5

http://dev.mysql.com/doc/refman/5.0/en/password-hashing.html

Link to comment
Share on other sites

Just to clarify, the "md5 decryption" sites apply to unsalted passwords only.  If you use a salt, those sites will be unable to find your original passwords.  The hacker will need to use brute force, which is still very slow for md5.

 

The purpose of using md5 (or another hash) is for the case where someone has hacked into your website, and has downloaded your password list.  Then you want to make sure they cannot recover the original passwords (or not easily, anyway).  Often, people will use the same password for different sites, so knowing your password to one site may give a hacker access to other sites, so this is why you want to keep the password unknown even if a hacker has control of your site.

Link to comment
Share on other sites

I'm not saying it isn't true,  but I remember about 4ish years ago when I was playin around with the md5 in PHP4, and my friend said that he found some little program sombody else wrote. He showed me, he inputted my encrypted md5 password, and it yielded the result. Maybe there was a huge glitch in an old version of PHP4 md5 function, but I vividly remember this. I'm assuming that this isn't the case anymore.

Link to comment
Share on other sites

I suspect your friend's program had a pre-programmed list of passwords and hashes, and it just looked yours up.  Was your password something common, like blink182 or trustno1 ?

 

If you picked a password like NtEtG!#1 and the program could find it, THEN I would be worried :)

Link to comment
Share on other sites

MD5 is quicker and with salt still pretty secure

SHA1 is a little slower but more secure again still add salt

 

 

MD5: is 128 bit (16 byte) message digest makes it a faster implementation than SHA-1.

 

SHA-1: The Secure Hash Algorithm (SHA) is 160-bit (20 byte) message digest. Although slower than MD5, this larger digest size makes it stronger against brute force attacks.

 

 

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.