Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Using md5 secured even its more difficult [duplicate]

Tags:

php

passwords

hash

Possible Duplicate:
Secure hash and salt for PHP passwords

I saw someone coding a password hash like this, 

md5(uniqid(mt_rand('password', 15), true));

is that a secured way to do this? is that even worked out?

like image 295
itsme Avatar asked Jul 09 '12 18:07

itsme

3 Answers

No it isn't a safe way. It is crackable and, in your example, it is not repeatable. You would have to store the random value long with the hash itself. If th DB is compromised, then it becomes extremely simple to bruteforce the hash.

You should know that MD5 and SHA1 are two of the weakest hashing algorithms, that are available in PHP.

Much better is to use crypt() function, with CRYPT_BLOWFISH or PBKDF2.

update

Also, as PeeHaa mentioned, it does not work. The mt_rand('password', 15) will cause Warning: mt_rand() expects parameter 1 to be long, string given on line X.

like image 56
tereško Avatar answered Oct 23 '22 15:10

tereško

Not only is that not secure, it doesn't even work.

mt_rand takes 2 parameters, a min value and a max value.

mt_rand('password', 15)

This converts 'password' to an int (0), then returns a random number between 0 and 15.

uniqid(mt_rand('password', 15), true)

This then generates a unique ID, and prepends the random number from the previous step to it: calculating something like this:

144ffb22886d58e1.82100749

That string is then md5'd.

As you may be able to see, this code is 100% useless. The original password is converted to 0 and lost forever, so all you're doing is hashing random numbers, which is pointless. Now that you have your hash, there is no way to verify it again. Since the password is converted, whatever the user enters doesn't matter.

So, no, this code is not secure, do not use it.

Personally, I use the phpass library. It's secure, and simple to use.

like image 27
Rocket Hazmat Avatar answered Oct 23 '22 15:10

Rocket Hazmat

To be honest I wouldn't even use md5 as a hashing algorithm for storing passwords. I would look into using something like bcrypt. Also I don't even get how your example would work, but in any case if you want to secure it then stay away from md5, sha1 at the minimum and learn from others mistakes and use a salt.

like image 44
sean Avatar answered Oct 23 '22 15:10

sean
Sign in to Comment

Related questions

TCPDF can't show cyrillic
MySQL default date() + 14 days, for a column?
Accessing value of iterated field in Mustache PHP
Escaping PHP GET and POST values [duplicate]
is it better to escape/encode the user input before storing it to database or to store it as it is in database and escape it while retrieving?
Generate user friendly id's in MongoDb
Pass javascript variable to php code? [duplicate]
How to get the endianness type in PHP?
Make relative links into absolute ones
Regex: Finding URLs in background-image CSS, having trouble
PHP passing a variable with header redirect
Replace this Hex chars from string in PHP
Is it possible to specify host when login in phpMyAdmin?
how to count the number of items in a php associative array
max_input_vars set even if commented in php.ini
php - working with dates like "every other week on tuesday"
If $_POST is empty function
Change css value with php
PDO Error: " Invalid parameter number: parameter was not defined"
PHP variable "default value"

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!