Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What is md5() for?

I was reading this tutorial for a simple PHP login system.

In the end it recommends that you should encrypt your password using md5().

Though I know this is a beginners' tutorial, and you shouldn't put bank statements behind this login system, this got me thinking about encryption.

So I went ahead and went to (one of the most useful questions this site has for newbies): What should a developer know before building a public web site?

There it says (under security) you should:

Encrypt Hash and salt passwords rather than storing them plain-text.

It doesn't say much more about it, no references.

So I went ahead and tried it myself:

$pass = "Trufa"; $enc = md5($pass);  echo $enc; #will echo 06cb51ce0a9893ec1d2dce07ba5ba710 

And this is what got me thinking, that although I know md5() might not the strongest way to encrypt, anything that always produces the same result can be reverse engineered.

So what is the sense of encrypting something with md5() or any other method?

If a hacker gets to a password encrypted with md5(), he would just use this page!.

So now the actual questions:

  1. How does password encryption work?

I know I have not discovered a huge web vulnerability here! :) I just want to understand the logic behind password encryption.

I'm sure I'm understanding something wrong, and would appreciate if you could help me set my though and other's (I hope) straight.

How would you have to apply password encryption so that it is actually useful?

  1. What about this idea?

As I said, I may/am getting the whole idea wrong, but, would this method add any security in security to a real environment?

$reenc = array(  "h38an",  "n28nu",  "fw08d"  );  $pass = "Trufa";  $enc = chunk_split(md5($pass),5,$reenc[mt_rand(0,count($reenc)-1)]);  echo $enc; 

As you see, I randomly added arbitrary strings ($reenc = array()) to my md5() password "making it unique". This of course is just a silly example.

I may be wrong but unless you "seed the encryption yourself" it will always be easily reversible.

The above would be my idea of "password protecting" and encrypted password, If a hacker gets to it he wont be able to decrypt it unless he gets access to the raw .php

I know this might not even make sense, but I can't figure out why this is a bad idea!


I hope I've made myself clear enough, but this is a very long question so, please ask for any clarification needed!

Thanks in advance!!

like image 522
Trufa Avatar asked Dec 08 '10 15:12

Trufa


People also ask

What is MD5 used for today?

As a hash function, MD5 maps a set of data to a bit string of a fixed size called the hash value. Hash functions have variable levels of complexity and difficulty and are used for cryptocurrency, password security, and message security.

What are the advantages of MD5?

4) Advantages of MD5 Algorithm MD5 algorithm is very much helpful as it is a bit easier for storing and comparing smaller hashes than the large text of variable length. They are used to store passwords in 128-bit form in UNIX. And it's easy to develop a message digest from the original message.

What is an MD5 value?

An MD5 checksum is a 32-character hexadecimal number that is computed on a file. If two files have the same MD5 checksum value, then there is a high probability that the two files are the same. After downloading an Altera software installation package, you can compute the MD5 checksum on the installation file.


1 Answers

You should have an encryption like md5 or sha512. You should also have two different salts, a static salt (written by you) and then also a unique salt for that specific password.

Some sample code (e.g. registration.php):

$unique_salt = hash('md5', microtime());  $password = hash('md5', $_POST['password'].'raNdoMStAticSaltHere'.$unique_salt); 

Now you have a static salt, which is valid for all your passwords, that is stored in the .php file. Then, at registration execution, you generate a unique hash for that specific password.

This all ends up with: two passwords that are spelled exactly the same, will have two different hashes. The unique hash is stored in the database along with the current id. If someone grab the database, they will have every single unique salt for every specific password. But what they don't have is your static salt, which make things a lot harder for every "hacker" out there.

This is how you check the validity of your password on login.php for example:

$user = //random username; $querysalt = mysql_query("SELECT salt FROM password WHERE username='$user'"); while($salt = mysql_fetch_array($querysalt)) {     $password = hash('md5',           $_POST['userpassword'].'raNdoMStAticSaltHere'.$salt[salt]); } 

This is what I've used in the past. It's very powerful and secure. Myself prefer the sha512 encryption. It's actually just to put that inside the hash function instead of md5 in my example.

If you wanna be even more secure, you can store the unique salt in a completely different database.

like image 113
Wroclai Avatar answered Sep 19 '22 12:09

Wroclai