When users log in for the first time on my site and select a password, I want to start using md5 hashing. But my database already contains a lot of passwords currently in plain text that need to be hashed my md5. Is there an easy way to read all of these, hash them and re-write them to my MySQL database? Side question do I need to be concerned about hashing usernames as well?
Thank you
Making my database more secure with hashing
Moderator: General Moderators
Re: Making my database more secure with hashing
viewtopic.php?t=62782
Something like this would convert them. Make sure you do this once, and before switching to MD5!
Hashing usernames is possible, but since you can't salt them (because you need to be able to check for repeating usernames) and maybe you'll need to display them (almost everybody does), it's not very practical.
Code: Select all
UPDATE `pass` IN `users` SET `pass`=MD5(`pass`)
Hashing usernames is possible, but since you can't salt them (because you need to be able to check for repeating usernames) and maybe you'll need to display them (almost everybody does), it's not very practical.
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: Making my database more secure with hashing
I would take SHA1 instead, although SHA1 is also too weak, but less than MD5.
Too bad MySQL do not support SHA256/SHA512
Also, do not forget to put at least salting for your passwords. MD5 alone of a password is way too easily reversible through brute forcing or rainbox tables.
You might want to calculate a SHA256/SHA512 with PHP and update the DB that way. This is, however, a lot slower process especially if your database is big. Even if you salt your passwords, it's pretty quick to find a collision for MD5 nowadays with all those CUDA brute forcers. I was running an app that tries to find a matching password of MD5. This app used two of my 8800 GTX cards including my 3.6 GHz Quad core at high priority. Guess what? I was able to find a collision in 34½ hours. The keyword I got was "tyig84lda" and MD5 was "e326c8f5f387352b658f440a4acd53c6". I do not think his password was "tyig84lda", it's a personal website
, I just needed to find a collision - luckily I had some pretty fast hardware combined with an assembly app so I was able to figure out that.
Too bad MySQL do not support SHA256/SHA512
Also, do not forget to put at least salting for your passwords. MD5 alone of a password is way too easily reversible through brute forcing or rainbox tables.
You might want to calculate a SHA256/SHA512 with PHP and update the DB that way. This is, however, a lot slower process especially if your database is big. Even if you salt your passwords, it's pretty quick to find a collision for MD5 nowadays with all those CUDA brute forcers. I was running an app that tries to find a matching password of MD5. This app used two of my 8800 GTX cards including my 3.6 GHz Quad core at high priority. Guess what? I was able to find a collision in 34½ hours. The keyword I got was "tyig84lda" and MD5 was "e326c8f5f387352b658f440a4acd53c6". I do not think his password was "tyig84lda", it's a personal website
Re: Making my database more secure with hashing
Did you just say you cracked someone's password?
Let's hope it was for academical reasons...
As for the password itself, I "guarantee"(*) you that what you got was the original plaintext. True MD5 collisions usually happen with carefully engineered large blocks of data
(*) without 100% certainty of course
Let's hope it was for academical reasons...
As for the password itself, I "guarantee"(*) you that what you got was the original plaintext. True MD5 collisions usually happen with carefully engineered large blocks of data
(*) without 100% certainty of course
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: Making my database more secure with hashing
My friend asked me to crack it, because he couldn't. It was a coding/security competition.Mordred wrote:Did you just say you cracked someone's password?
Let's hope it was for academical reasons...
As for the password itself, I "guarantee"(*) you that what you got was the original plaintext. True MD5 collisions usually happen with carefully engineered large blocks of data
(*) without 100% certainty of course
Yeah maybe you are right, maybe it was his password, but the wierd thing is that other passwords has always been longer then 20 characters, maybe this was just an exception then. Anyway, my point was more like "don't trust MD5 too much these days" :p