Page 1 of 1
Making my database more secure with hashing
Posted: Sun Sep 28, 2008 7:15 am
by zunebuggy
When users log in for the first time on my site and select a password, I want to start using md5 hashing. But my database already contains a lot of passwords currently in plain text that need to be hashed my md5. Is there an easy way to read all of these, hash them and re-write them to my MySQL database? Side question do I need to be concerned about hashing usernames as well?
Thank you
Re: Making my database more secure with hashing
Posted: Mon Sep 29, 2008 3:27 am
by Mordred
viewtopic.php?t=62782
Code: Select all
UPDATE `pass` IN `users` SET `pass`=MD5(`pass`)
Something like this would convert them. Make sure you do this
once, and
before switching to MD5!
Hashing usernames is possible, but since you can't salt them (because you need to be able to check for repeating usernames) and maybe you'll need to display them (almost everybody does), it's not very practical.
Re: Making my database more secure with hashing
Posted: Mon Sep 29, 2008 1:25 pm
by kaisellgren
I would take SHA1 instead, although SHA1 is also too weak, but less than MD5.
Too bad MySQL do not support SHA256/SHA512
Also, do not forget to put at least salting for your passwords. MD5 alone of a password is way too easily reversible through brute forcing or rainbox tables.
You might want to calculate a SHA256/SHA512 with PHP and update the DB that way. This is, however, a lot slower process especially if your database is big. Even if you salt your passwords, it's pretty quick to find a collision for MD5 nowadays with all those CUDA brute forcers. I was running an app that tries to find a matching password of MD5. This app used two of my 8800 GTX cards including my 3.6 GHz Quad core at high priority. Guess what? I was able to find a collision in 34½ hours. The keyword I got was "tyig84lda" and MD5 was "e326c8f5f387352b658f440a4acd53c6". I do not think his password was "tyig84lda", it's a personal website

, I just needed to find a collision - luckily I had some pretty fast hardware combined with an assembly app so I was able to figure out that.
Re: Making my database more secure with hashing
Posted: Tue Sep 30, 2008 2:20 am
by Mordred
Did you just say you cracked someone's password?
Let's hope it was for academical reasons...
As for the password itself, I "guarantee"(*) you that what you got was the original plaintext. True MD5 collisions usually happen with carefully engineered large blocks of data
(*) without 100% certainty of course

Re: Making my database more secure with hashing
Posted: Tue Sep 30, 2008 8:19 am
by kaisellgren
Mordred wrote:Did you just say you cracked someone's password?
Let's hope it was for academical reasons...
As for the password itself, I "guarantee"(*) you that what you got was the original plaintext. True MD5 collisions usually happen with carefully engineered large blocks of data
(*) without 100% certainty of course

My friend asked me to crack it, because he couldn't. It was a coding/security competition.
Yeah maybe you are right, maybe it was his password, but the wierd thing is that other passwords has always been longer then 20 characters, maybe this was just an exception then. Anyway, my point was more like "don't trust MD5 too much these days" :p