Making my database more secure with hashing

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
zunebuggy
Forum Commoner
Posts: 41
Joined: Wed Aug 27, 2008 1:22 pm

Making my database more secure with hashing

Post by zunebuggy »

When users log in for the first time on my site and select a password, I want to start using md5 hashing. But my database already contains a lot of passwords currently in plain text that need to be hashed my md5. Is there an easy way to read all of these, hash them and re-write them to my MySQL database? Side question do I need to be concerned about hashing usernames as well?

Thank you
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Making my database more secure with hashing

Post by Mordred »

viewtopic.php?t=62782

Code: Select all

UPDATE `pass` IN `users` SET `pass`=MD5(`pass`)
 
Something like this would convert them. Make sure you do this once, and before switching to MD5!

Hashing usernames is possible, but since you can't salt them (because you need to be able to check for repeating usernames) and maybe you'll need to display them (almost everybody does), it's not very practical.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Making my database more secure with hashing

Post by kaisellgren »

I would take SHA1 instead, although SHA1 is also too weak, but less than MD5.

Too bad MySQL do not support SHA256/SHA512 :(

Also, do not forget to put at least salting for your passwords. MD5 alone of a password is way too easily reversible through brute forcing or rainbox tables.

You might want to calculate a SHA256/SHA512 with PHP and update the DB that way. This is, however, a lot slower process especially if your database is big. Even if you salt your passwords, it's pretty quick to find a collision for MD5 nowadays with all those CUDA brute forcers. I was running an app that tries to find a matching password of MD5. This app used two of my 8800 GTX cards including my 3.6 GHz Quad core at high priority. Guess what? I was able to find a collision in 34½ hours. The keyword I got was "tyig84lda" and MD5 was "e326c8f5f387352b658f440a4acd53c6". I do not think his password was "tyig84lda", it's a personal website :), I just needed to find a collision - luckily I had some pretty fast hardware combined with an assembly app so I was able to figure out that.
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Making my database more secure with hashing

Post by Mordred »

Did you just say you cracked someone's password?
Let's hope it was for academical reasons...

As for the password itself, I "guarantee"(*) you that what you got was the original plaintext. True MD5 collisions usually happen with carefully engineered large blocks of data

(*) without 100% certainty of course ;)
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Making my database more secure with hashing

Post by kaisellgren »

Mordred wrote:Did you just say you cracked someone's password?
Let's hope it was for academical reasons...

As for the password itself, I "guarantee"(*) you that what you got was the original plaintext. True MD5 collisions usually happen with carefully engineered large blocks of data

(*) without 100% certainty of course ;)
My friend asked me to crack it, because he couldn't. It was a coding/security competition.

Yeah maybe you are right, maybe it was his password, but the wierd thing is that other passwords has always been longer then 20 characters, maybe this was just an exception then. Anyway, my point was more like "don't trust MD5 too much these days" :p
Post Reply