For Programmers: Free Programming Magazines  


Home > Archive > PHP DB > January 2008 > Re: [PHP-DB] Insecure Hashes (was Re: Beginners Problem)









You are viewing an archived Text-only version of the thread. To view this thread in it's original format and/or if you want to reply to this thread please [click here]

 

Author Re: [PHP-DB] Insecure Hashes (was Re: Beginners Problem)
Cristian Vrabie

2008-01-22, 7:07 pm

It's true md5 is very old but is not completely obsolete. Used in
combination with a random salt is still hard to decode.
Maybe i won't use it as encryption for passwords any more but I would
use it for digital signature or data integrity check.

sublimino@gmail.com wrote:
> Whilst reviewing my penetration testing I have noticed that both the
> md5 and sha1 hashing algorithms are now considered less secure than
> previously thought. Migration to sha256 is encouraged:
>
> http://www.owasp.org/index.php/Cryp...rithm_Selection
>
> Then I found the comment below from:
>
> http://uk3.php.net/manual/en/function.md5.php
>
> http://md5.rednoize.com offers a service to reverse engineer md5
> hashes. Very useful if you got a md5 hash and need the plain text
> string of this md5 hash. The website has currently over 47 million
> hashes stored. It also has support for SHA-1 hashes.
>
> Consequently I shall be updating my authentication class.
>
>
> Andy
>
>
J. Hill

2008-01-23, 4:05 am

Well, if you're interested in some greater level of security where you
can decrypt, you might want to check out rijndael encryption (a type of
AES). Shane Kretzmann wrote a good rijndael php class that I think is
still on phpclasses.

It can be a bit difficult working with binary passwords, but if you
really need security, it seems like one of the better options.

I've been testing it myself, and the only issue I see is, of course:
keeping the key secret. I've been looking at a few methods, but I'm
always interested in others ideas on that issue.

Regards,

J. Hill



Cristian Vrabie wrote:
> It's true md5 is very old but is not completely obsolete. Used in
> combination with a random salt is still hard to decode.
> Maybe i won't use it as encryption for passwords any more but I would
> use it for digital signature or data integrity check.
>
> sublimino@gmail.com wrote:
>
Sponsored Links







Also available: Server administration forum archive | Web Design forum archive | Software forum archive | Hardware reviews archive

Copyright 2008 codecomments.com