Jump to content

How is md5 safe?

phpSensei

By phpSensei
in PHP Coding Help

 Share

Recommended Posts

Jessica Advanced Member

Jessica

Posted
Posted

Not any...just 699,735 of them.

It's not even really cracked...it's just like brute-forcing.

 

No encryption can be 100% safe because of this method. Do you see how it works? It has a database of words and their hashes. So you enter a hashed string and it just looks up what the word is, if it has it.

Link to comment
Share on other sites
Psycho Prolific Member

Psycho

Posted
Posted

One thing many don't understand is that MD5 is a hash, not an encryption. That site is only able to "guess" the value based upon a dictionary of "common" values. Every MD5 has has MANY possible values that could have created that hash. So, the MD5 has for "password" could be the same MD5 hash for "UFD*(SFH&*FN^F^&G(GD^Gfdhs78feft56r5R%^bd66". So, just because that site came up with a value that creates the MD5 entered does not mean it was the same value you used to create the MD5.

 

That is the power of a hash. There is (theoretically) no possible way to reverse a hash. I say theoretically, because we (prorgammers) sometimes put limits on the possible values which shrinks the available hashes. If you were to have a password field that took only up to 10 characters and only accepted numbers and lower case characters, it would be a pretty easy process to create a hash for every possible value to compare it against.

 

With encryption there is always a way to decrypt it. If the key get compromised all the encrypted data is at risk. However, encryption and hashing are two entirely different things and should never be considered the same thing. Just as you wouldn't want to encrypt a password, you would never want to hash data such as a credit card number that you need to retrieve at a later time.

 

Here are a comple simple examples:

 

Using a system that transposes every letter with another letter would be a form of encryption: A = b, B = C, etc.

 

So, "password" becomes "qbttxpse"

 

However assigning a number to every letter and then suming the total would be a hash: a = 1, b = 2, etc.

"password" = 16 + 1 + 19 + 19 + 23 + 15 + 18 + 4 = 115

 

It should be pretty obvious that you could create other combinations that would result in the same value. So, you could never be certain what value was used to create 115.

 

EDIT: And all of this is the reason why you are always encouraged to use a STRONG password. If you used something such as "apple", then that will already exist in a database of hashes. But the time and resources needed to create exponentially more hash lookups such that "@PP1e" would be in the lookup list would be great.

Link to comment
Share on other sites
Jessica Advanced Member

Jessica

Posted
Posted

Not really. It's not "luck", it's a reverse lookup, like I said. If it's a common word, it will be in there. That's another reason to use hard passwords. Instead of "mynameisbob" do "MyN@m3!$B0b" - even if mynameisbob is in the database, I doubt the second one is.

Link to comment
Share on other sites
dbo Member

dbo

Posted
Posted

MD5 hashes are pretty safe if used correctly, always salt them. If other measures in place it's pretty safe. IF you allow for 3 failures then lock an account for 3 minutes before continuing it's going to take a script years and years and years to be able to attempt all possible solutions of a password. In even more secure environments you could require a password change after 3 failed attempts. Saying that we could easily write a program to test all possible combinations of letters, characters and numbers is just ridiculous.... think about how many possible combinations that is, and then putting one of the above measures on top of it pretty much seals the deal. It's security in layers my friends... always security in layers.

Link to comment
Share on other sites
BRUm Newbie

BRUm

Posted
Posted

You shouldn't be asking how safe MD5 is, you should be asking "How can I make my hashes safer".

 

Now, these hash "cracking" sites are utter useless if you use MD5() properly.

 

Have you ever heard of a salt or key?

 

It would be practically impossible for these sites to crack a hash with my own personal salt:

 

md5("$username$password$key");

 

Where $salt is something personal. For example, say I want a secure login for my blog, I may have the $key as the name of my blog + the name of my cat.

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.