Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 6 of 6
  1. #1
    Regular Coder olidenia's Avatar
    Join Date
    Oct 2009
    Location
    Sitting In Front Of A Screen
    Posts
    110
    Thanks
    16
    Thanked 4 Times in 4 Posts

    Advice about this form of password encryption.

    Hello to all that are reading.

    I'm encrypting my passwords before sending them to the SQL database and I'm using this method:

    As there are websites that can decrypt sha1 & md5 I have decided to encrypt first sha1 and then the result encrypt to md5.

    Are there any cons of using this method?

    PHP Code:
    $step1 sha1($_POST[pw]);
    $pw md5($step1); 
    Thank you
    Last edited by olidenia; 12-23-2010 at 02:22 PM.
    It's easy once you know how...

  • #2
    Senior Coder kbluhm's Avatar
    Join Date
    Apr 2007
    Location
    Philadelphia, PA, USA
    Posts
    1,509
    Thanks
    3
    Thanked 258 Times in 254 Posts
    No, both SHA1 and MD5 are both one-way hashes.

    Now before people come on here pointing you to websites that are able to "decrypt" these hashes, they cannot. They simple store millions of words side-by-side with their hash, allowing them to search the database for a hash and return the literal word.

  • #3
    Regular Coder mic2100's Avatar
    Join Date
    Feb 2006
    Location
    Scunthorpe
    Posts
    562
    Thanks
    15
    Thanked 28 Times in 27 Posts
    hey,

    I use a similar kind of method.

    PHP Code:
    $step1 sha1($_POST[pw]."a1!"); //random chars added at the end of the password. known as salt key
    $pw md5($step1); 
    makes if safer i find cos when sum1 decrypts the data they will see it with the salt key at the end and hopefully presume that is part of the password. all u then have to do is add that to the end of where eva it checks in the DB.

    these can be used at the beginning or end. i wudn't try adding em to the middle of strings since sum1 else might have the same sequence in their password, and removing em wud be a pain.

    i agree with kbluhm though in that sha1 and md5 r both 1 way hashes of the data.

  • #4
    Regular Coder olidenia's Avatar
    Join Date
    Oct 2009
    Location
    Sitting In Front Of A Screen
    Posts
    110
    Thanks
    16
    Thanked 4 Times in 4 Posts
    OK, now I understand, so they just store millions of records and then compare...

    Just in case I will keep using this method, I was just wondering if it can cause a biger problem?

    Thank you for the answers.
    It's easy once you know how...

  • #5
    Regular Coder olidenia's Avatar
    Join Date
    Oct 2009
    Location
    Sitting In Front Of A Screen
    Posts
    110
    Thanks
    16
    Thanked 4 Times in 4 Posts
    I see so If I put a salt key in the midle of the encryption hackers would have a hard time identifying this, the only thing is that If I obtain say 3 passwords from the database and compare them It will be easy to find the salt keyand remove it.

    Thanks again for the info.

    Quote Originally Posted by mic2100 View Post
    hey,

    I use a similar kind of method.

    PHP Code:
    $step1 sha1($_POST[pw]."a1!"); //random chars added at the end of the password. known as salt key
    $pw md5($step1); 
    makes if safer i find cos when sum1 decrypts the data they will see it with the salt key at the end and hopefully presume that is part of the password. all u then have to do is add that to the end of where eva it checks in the DB.

    these can be used at the beginning or end. i wudn't try adding em to the middle of strings since sum1 else might have the same sequence in their password, and removing em wud be a pain.

    i agree with kbluhm though in that sha1 and md5 r both 1 way hashes of the data.
    It's easy once you know how...

  • #6
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,994
    Thanks
    4
    Thanked 2,662 Times in 2,631 Posts
    Given enough time and power you can decrypt or rehash a match to anything.
    Can it be done in a reasonable time by brute? Not by an average machine it can't.
    There is a problem with both MD5 and SHA1 algorithms though, both have been identified to have flaws within the algorithms that greatly reduce the number of steps required to 'reverse' the hashed value, and by that I mean simply coming up with a pattern that will match.
    Unless you're doing something massively secure like a bank program or something like that (anything used by public for services really), I wouldn't bother updating the sha1 usage. I haven't used md5 in a long time myself, but I'm not ready to move up to the hash() at this point.

    I see recommendations for peppering techniques as well. These are good. The idea behind this is simply that should data in your database become leaked, and a single account is cracked, the same password used for this single account cannot be determined as valid against any other user with the same password since the hashes differ. Pepper is usually stored with the password in the database associated individually with a user. Stack it up with a filesystem based salt, and even user's with identical user systems wouldn't be able to compare their results for identical passwords.
    Add a flood layer to lock out accounts, and your set.
    PHP Code:
    header('HTTP/1.1 420 Enhance Your Calm'); 
    Been gone for a few months, and haven't programmed in that long of a time. Meh, I'll wing it ;)


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •