Page 1 of 3
more secure md5() ?
Posted: Wed Mar 23, 2005 12:56 am
by pleigh
is this method more secure?
Code: Select all
//some mysql query....
password=md5(md5('password'))
after using md5() to the value of password, i use md5() again the value of the first md5()...am i correct with this??is this more secure?
Posted: Wed Mar 23, 2005 1:07 am
by Pyrite
Imho, I don't think it matters. MD5 is not encryption anyways. You're just taking a hash of a hash.
Posted: Wed Mar 23, 2005 1:10 am
by pleigh
tnx for the reply....so..what do you suggest making password more secure??
Posted: Wed Mar 23, 2005 1:18 am
by Pyrite
Check out the javascript md5 class, it doens't make the password more secure per se, but it does do the md5 hashing on the client side, so that it is transmitted hashed instead of in plain text.
http://pajhome.org.uk/crypt/md5/
Posted: Wed Mar 23, 2005 5:07 am
by Chris Corbyn
Pyrite wrote:Check out the javascript md5 class, it doens't make the password more secure per se, but it does do the md5 hashing on the client side, so that it is transmitted hashed instead of in plain text.
http://pajhome.org.uk/crypt/md5/
You can't rely on that however.... ok so it sends hash data not the actual PW, but if they have JS disabled you'll get an unhashed PW, and your server-side PW verificatioins will be inconsistent. I'd stick with doing it on the server.
Just do it once though.... It wont be "more secure" just because you hash it twice.
Posted: Wed Mar 23, 2005 5:42 am
by Pyrite
Actually not, if JS is disabled it doesn't send the password. And instead, prints a message to the screen saying to enable javascript to use secure login.
Posted: Wed Mar 23, 2005 5:44 am
by pleigh
how bout doing this..
or
Code: Select all
$password = md5($pw."some string here")
is this a good practice??
Posted: Wed Mar 23, 2005 5:49 am
by Chris Corbyn
Why not just md5().... do you know how to crack on md5() hash or something? Even if you could unhash it so to speak it wouldn't be too hard too break it down.
Posted: Wed Mar 23, 2005 5:56 am
by pleigh
thanks for info d11wtq...just curious about the security....some says that bruteforcing can easily crack it....is that true?
Posted: Wed Mar 23, 2005 5:59 am
by JayBird
Combining multiple hashes through concatenation of hash-of-a-hash techniques may result in a "greater" probability of a collision when you're hoping for "lesser" probability of one.
Posted: Wed Mar 23, 2005 6:04 am
by pleigh
got it pimp...how about the others?how do you guys secure passwords for example in a login system...do you guys make it very complicated for the sake of very high security??
Posted: Wed Mar 23, 2005 6:27 am
by JayBird
read the user notes here -
http://uk2.php.net/md5
From the note by IndigoDarkwolf downwards
Seems the message is, it keep it simple
Posted: Wed Mar 23, 2005 6:27 am
by Chris Corbyn
md5 is still very secure but SHA hashing is apparently more secure...
Feyd wrote a class for PHP SHA256 hashing. I don't know a lot about it but apparently it reduces the likelihood of collisons compared with md5....
He has put the code in Code Snippets... you may want to take a look at that.
Posted: Wed Mar 23, 2005 6:29 am
by pleigh
tnx a lot guys...

Posted: Wed Mar 23, 2005 8:08 am
by feyd
MD5 is a 128 bit hash, which I believe breaks down into 64 bits of signature, and 64 bits of security.
SHA256 is a 256 bit hash. It breaks down into 128 bits of signature, and 128 bits of security. It's quite a bit more secure than MD5, but does take longer to process, especially because it's not built into the underlying code of the php engine.