more secure md5() ?

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

User avatar
pleigh
Forum Contributor
Posts: 445
Joined: Wed Jan 19, 2005 4:26 am

more secure md5() ?

Post by pleigh »

is this method more secure?

Code: Select all

//some mysql query....
password=md5(md5('password'))
after using md5() to the value of password, i use md5() again the value of the first md5()...am i correct with this??is this more secure?
User avatar
Pyrite
Forum Regular
Posts: 769
Joined: Tue Sep 23, 2003 11:07 pm
Location: The Republic of Texas
Contact:

Post by Pyrite »

Imho, I don't think it matters. MD5 is not encryption anyways. You're just taking a hash of a hash.
User avatar
pleigh
Forum Contributor
Posts: 445
Joined: Wed Jan 19, 2005 4:26 am

Post by pleigh »

tnx for the reply....so..what do you suggest making password more secure??
User avatar
Pyrite
Forum Regular
Posts: 769
Joined: Tue Sep 23, 2003 11:07 pm
Location: The Republic of Texas
Contact:

Post by Pyrite »

Check out the javascript md5 class, it doens't make the password more secure per se, but it does do the md5 hashing on the client side, so that it is transmitted hashed instead of in plain text.

http://pajhome.org.uk/crypt/md5/
User avatar
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098
Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia

Post by Chris Corbyn »

Pyrite wrote:Check out the javascript md5 class, it doens't make the password more secure per se, but it does do the md5 hashing on the client side, so that it is transmitted hashed instead of in plain text.

http://pajhome.org.uk/crypt/md5/
You can't rely on that however.... ok so it sends hash data not the actual PW, but if they have JS disabled you'll get an unhashed PW, and your server-side PW verificatioins will be inconsistent. I'd stick with doing it on the server.

Just do it once though.... It wont be "more secure" just because you hash it twice.
User avatar
Pyrite
Forum Regular
Posts: 769
Joined: Tue Sep 23, 2003 11:07 pm
Location: The Republic of Texas
Contact:

Post by Pyrite »

Actually not, if JS is disabled it doesn't send the password. And instead, prints a message to the screen saying to enable javascript to use secure login.
User avatar
pleigh
Forum Contributor
Posts: 445
Joined: Wed Jan 19, 2005 4:26 am

Post by pleigh »

how bout doing this..

Code: Select all

$password = md5($pw.$username)
or

Code: Select all

$password = md5($pw."some string here")
is this a good practice??
User avatar
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098
Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia

Post by Chris Corbyn »

Why not just md5().... do you know how to crack on md5() hash or something? Even if you could unhash it so to speak it wouldn't be too hard too break it down.
User avatar
pleigh
Forum Contributor
Posts: 445
Joined: Wed Jan 19, 2005 4:26 am

Post by pleigh »

thanks for info d11wtq...just curious about the security....some says that bruteforcing can easily crack it....is that true?
User avatar
JayBird
Admin
Posts: 4524
Joined: Wed Aug 13, 2003 7:02 am
Location: York, UK
Contact:

Post by JayBird »

Combining multiple hashes through concatenation of hash-of-a-hash techniques may result in a "greater" probability of a collision when you're hoping for "lesser" probability of one.
User avatar
pleigh
Forum Contributor
Posts: 445
Joined: Wed Jan 19, 2005 4:26 am

Post by pleigh »

got it pimp...how about the others?how do you guys secure passwords for example in a login system...do you guys make it very complicated for the sake of very high security??
User avatar
JayBird
Admin
Posts: 4524
Joined: Wed Aug 13, 2003 7:02 am
Location: York, UK
Contact:

Post by JayBird »

read the user notes here - http://uk2.php.net/md5

From the note by IndigoDarkwolf downwards

Seems the message is, it keep it simple
Last edited by JayBird on Wed Mar 23, 2005 6:27 am, edited 1 time in total.
User avatar
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098
Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia

Post by Chris Corbyn »

md5 is still very secure but SHA hashing is apparently more secure...

Feyd wrote a class for PHP SHA256 hashing. I don't know a lot about it but apparently it reduces the likelihood of collisons compared with md5....

He has put the code in Code Snippets... you may want to take a look at that.
User avatar
pleigh
Forum Contributor
Posts: 445
Joined: Wed Jan 19, 2005 4:26 am

Post by pleigh »

tnx a lot guys... :D
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

MD5 is a 128 bit hash, which I believe breaks down into 64 bits of signature, and 64 bits of security.

SHA256 is a 256 bit hash. It breaks down into 128 bits of signature, and 128 bits of security. It's quite a bit more secure than MD5, but does take longer to process, especially because it's not built into the underlying code of the php engine.
Post Reply