Jump to content

[SOLVED] MD5 HASHES are not so secure...

Xeoncross

By Xeoncross
in Application Design

 Share

Recommended Posts

Xeoncross Member

Xeoncross

Posted
Posted

After starting down the road of making hashes from all my passwords - I found myself wondering if even that was enough.

 

Thanks to google (and articles like http://alan.blog-city.com/cracking_mysqls_md5_function__within_seconds.htm) I now wonder if there is any better solution to the default "use md5()" model of securing sites. After all, I must admit that the idea of anyone having a http://md5.rednoize.com/ scares me.  ;)

 

Now, one thing I thought of was adding UNCOMMON chars like anything not in [ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()-_+=~`[]{}|\:;"'<>,.?/ ] to my hashes to make most rainbow tables (anything < 64GB) useless for my hashes.

 

So, is that a good idea or should I look for something else like SHA-1?

 

P.S. If you don't know what a rainbow table is, please don't respond.

No offense, but I am only interested in seasoned programmers answers.

 

Link to comment
Share on other sites
PFMaBiSmAd Advanced Member

PFMaBiSmAd

Posted
Posted

Edit: basically says the same as above, with an explanation of why it is effective -

 

If you salt the entered value by prepending or appending a nonsense string (look up salting a hash), then perform the hash, then none of the table lookups will give a value that can be entered to match your hashes.

 

$my_salted_hash = md5("entered value" . "my 89dn nonsense caerd salt a9in string");

 

If someone obtains you hashes and happens to find a value that produces the same hash, when they try that value on your web site, it won't produce the same hash because of the salt string. As long as you never echo or publish your salt string and someone does not gain access to your php code, no one can come up with an original value that will work on your site.

Link to comment
Share on other sites
Xeoncross Member

Xeoncross

Posted
  • Author
Posted

If someone obtains you hashes and happens to find a value that produces the same hash, when they try that value on your web site, it won't produce the same hash because of the salt string. As long as you never echo or publish your salt string and someone does not gain access to your php code, no one can come up with an original value that will work on your site.

 

I did think about using a salt - however, I plan on publishing the code so I thought it would be useless to hard-code something in (like "*^%&#(%"). Never-the-less, I guess I could have the user that downloads my system make his own 10char string and that way each person using my system would have a different hash that other users wouldn't know.

Link to comment
Share on other sites
dbo Member

dbo

Posted
Posted

why not just use something like:

 

$salt = $username . "_" . $password . "_" . $username;

 

You've already got a salt... No need to make the users enter anything additional. All you are trying to do is create a hash that isn't stored in a database. Throw on some policy that locks an account for 3 minutes after 3 failed attempts in x amount of time and you'll have a pretty secure system (as far as most applications are concerned).

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.