...

View Full Version : MD5 encryption



GO ILLINI
11-25-2007, 10:21 PM
Is MD5 encryption even worth it for passwords? To me it seems useless. http://www.md5decrypter.com/ can decrypt everything. Is there a better encryption available?
Currently I'm making a php/mysql based program to organize seats for a local theater. I would like to be secure and am currently using MD5, but I don't really see how it can help. It seems to me that anyone that can hack into my database can certainly Google for a MD5 decrypted.


-Adam

aWishResigned
11-25-2007, 10:35 PM
MD5 uses a hash-based encryption method so it is un-decryptable (assuming that can be a word). The site you linked uses a database of decrypted hashes so, if someone we're to know your password and send it into them, yes they can decrypt it but they would only actually be comparing the md5 result to records in a database. In order for that site to be worth anything, they would have to have a database of billions of records which, honestly is not feasible.

To sum up, MD5 is great for one-way passwords. You take whatever the user has provided for login, md5 it and then compare it to your already encrypted password on file. If they match, the password is correct.

GO ILLINI
11-25-2007, 11:10 PM
ahh ok thanks that makes sense...
I understand now because everything I tried I also use their encrypter tool so they already had the answer... CHEATERS!!!


-Adam

Inigoesdr
11-25-2007, 11:22 PM
If you're going to use a one-way hash for passwords use sha1() or hash('sha256', $string) if you have PHP 5.1.2+.

CFMaBiSmAd
11-25-2007, 11:48 PM
No matter which hash you use, prepend or append a unique/nonsense "salt" string (look up salt if you don't know what that means) to it before you hash it, so that the database lookup tables/sites won't be usable to find out the original value.

I hope you did not try any real passwords you use (even if they were not found in the database) that you have set on your router or any thing else that can be tied to your IP address/domain/network you were on when you visited those sites, because they just learned your current IP address and any of your real passwords you just tried.

GO ILLINI
11-26-2007, 03:52 AM
Thanks,

I will start using the salt method. Right now it is pretty confusing but I found a few tutorials and I am sure I will understand soon.

And no I didn't use any real passwords or any significant words. I don't like to type passwords into any boxes they don't belong in.

-Adam

fl00d
11-26-2007, 09:50 PM
Actually I've got a great tutorial for password salting. If you're interested I can PM you the link. It's on a site that may not be appropriate to post publically (here anyway. It has to do with that 'ethical hacking' stuff.

aedrin
11-26-2007, 10:15 PM
No matter which hash you use, prepend or append a unique/nonsense "salt" string (look up salt if you don't know what that means) to it before you hash it, so that the database lookup tables/sites won't be usable to find out the original value.

And to make them (the salts) really useful, make it unique for every user.

rpgfan3233
11-26-2007, 11:15 PM
IIRC, MD5 and the SHA-1 have both been found vulnerable. That is probably the biggest reason to use a salt. If someone knows how the algorithm(s) work, that person could indeed create a salt that very much prevents decryption of the original string. I personally use a combination of functions, sometimes including my own encoding/encryption function, all of which are salted with a different salt at each stage.

felgall
11-27-2007, 08:22 AM
An unsalted MD5 can easily be broken using a rainbow table. They may not find the real password but they will find a password that MD5s to the same hash value which is therefore just as good.



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum