...

View Full Version : Advice about this form of password encryption.



olidenia
12-23-2010, 02:06 PM
Hello to all that are reading.

I'm encrypting my passwords before sending them to the SQL database and I'm using this method:

As there are websites that can decrypt sha1 & md5 I have decided to encrypt first sha1 and then the result encrypt to md5.

Are there any cons of using this method?



$step1 = sha1($_POST[pw]);
$pw = md5($step1);


Thank you

kbluhm
12-23-2010, 02:29 PM
No, both SHA1 and MD5 are both one-way hashes.

Now before people come on here pointing you to websites that are able to "decrypt" these hashes, they cannot. They simple store millions of words side-by-side with their hash, allowing them to search the database for a hash and return the literal word.

mic2100
12-23-2010, 02:31 PM
hey,

I use a similar kind of method.



$step1 = sha1($_POST[pw]."a1!"); //random chars added at the end of the password. known as salt key
$pw = md5($step1);


makes if safer i find cos when sum1 decrypts the data they will see it with the salt key at the end and hopefully presume that is part of the password. all u then have to do is add that to the end of where eva it checks in the DB.

these can be used at the beginning or end. i wudn't try adding em to the middle of strings since sum1 else might have the same sequence in their password, and removing em wud be a pain.

i agree with kbluhm though in that sha1 and md5 r both 1 way hashes of the data.

olidenia
12-23-2010, 02:34 PM
OK, now I understand, so they just store millions of records and then compare...

Just in case I will keep using this method, I was just wondering if it can cause a biger problem?

Thank you for the answers.

olidenia
12-23-2010, 02:42 PM
I see so If I put a salt key in the midle of the encryption hackers would have a hard time identifying this, the only thing is that If I obtain say 3 passwords from the database and compare them It will be easy to find the salt keyand remove it.

Thanks again for the info.


hey,

I use a similar kind of method.



$step1 = sha1($_POST[pw]."a1!"); //random chars added at the end of the password. known as salt key
$pw = md5($step1);


makes if safer i find cos when sum1 decrypts the data they will see it with the salt key at the end and hopefully presume that is part of the password. all u then have to do is add that to the end of where eva it checks in the DB.

these can be used at the beginning or end. i wudn't try adding em to the middle of strings since sum1 else might have the same sequence in their password, and removing em wud be a pain.

i agree with kbluhm though in that sha1 and md5 r both 1 way hashes of the data.

Fou-Lu
12-23-2010, 03:42 PM
Given enough time and power you can decrypt or rehash a match to anything.
Can it be done in a reasonable time by brute? Not by an average machine it can't.
There is a problem with both MD5 and SHA1 algorithms though, both have been identified to have flaws within the algorithms that greatly reduce the number of steps required to 'reverse' the hashed value, and by that I mean simply coming up with a pattern that will match.
Unless you're doing something massively secure like a bank program or something like that (anything used by public for services really), I wouldn't bother updating the sha1 usage. I haven't used md5 in a long time myself, but I'm not ready to move up to the hash() at this point.

I see recommendations for peppering techniques as well. These are good. The idea behind this is simply that should data in your database become leaked, and a single account is cracked, the same password used for this single account cannot be determined as valid against any other user with the same password since the hashes differ. Pepper is usually stored with the password in the database associated individually with a user. Stack it up with a filesystem based salt, and even user's with identical user systems wouldn't be able to compare their results for identical passwords.
Add a flood layer to lock out accounts, and your set.



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum