Menu
I read on PHP.net that MD5 is useless, and they suggest using crypt + salt.
So, I went to their function description and read
<?php
$password = crypt('mypassword'); // let the salt be automatically generated
/* You should pass the entire results of crypt() as the salt for comparing a
password, to avoid problems when different hashing algorithms are used. (As
it says above, standard DES-based password hashing uses a 2-character salt,
but MD5-based hashing uses 12.) */
if (crypt($user_input, $password) == $password) {
echo "Password verified!";
}
?>
or in my case something like :
$stored_password=fetch_password($user);
if (crypt($_REQUEST['password'],$stored_password)===$stored_password) {
// ok
}
So, when I see that the salt is stored in the hashed password and that you use that hashed password as salt, I think Crypt + Salt is not more secure against a brute force on output (hackers who managed to steal hashed passwords). Is it more secure?
Against a dictionary attack, I can understand its power, but for a brute force attack on hashed passwords, I don't see the advantage.
581
When applying salt to a string (password in the example) before hashing, the hash now becomes another hash than it would without the salt. Without the salt, you could just use a pre-existing dictionary - now instead you need to create a dictionary to the salt. If you use a user specific salt, each user needs to have it's own dictionary when using brute force. This becomes way more time consuming.
MD5 is a broken algoritm because of its collision vulnerabilities.
162
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
