Insecure Hashes (was Re: Beginners Problem)

Whilst reviewing my penetration testing I have noticed that both the
md5 and sha1 hashing algorithms are now considered less secure than
previously thought. Migration to sha256 is encouraged:

http://www.owasp.org/index.php/Cryptography#Algorithm_Select ion

Then I found the comment below from:

http://uk3.php.net/manual/en/function.md5.php

http://md5.rednoize.com offers a service to reverse engineer md5
hashes. Very useful if you got a md5 hash and need the plain text
string of this md5 hash. The website has currently over 47 million
hashes stored. It also has support for SHA-1 hashes.

Consequently I shall be updating my authentication class.


Andy

--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: Insecure Hashes (was Re: Beginners Problem)

It's true md5 is very old but is not completely obsolete. Used in
combination with a random salt is still hard to decode.
Maybe i won't use it as encryption for passwords any more but I would
use it for digital signature or data integrity check.

sublimino@gmail.com wrote:
> Whilst reviewing my penetration testing I have noticed that both the
> md5 and sha1 hashing algorithms are now considered less secure than
> previously thought. Migration to sha256 is encouraged:
>
> http://www.owasp.org/index.php/Cryptography#Algorithm_Select ion
>
> Then I found the comment below from:
>
> http://uk3.php.net/manual/en/function.md5.php
>
> http://md5.rednoize.com offers a service to reverse engineer md5
> hashes. Very useful if you got a md5 hash and need the plain text
> string of this md5 hash. The website has currently over 47 million
> hashes stored. It also has support for SHA-1 hashes.
>
> Consequently I shall be updating my authentication class.
>
>
> Andy
>
>

--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: Insecure Hashes (was Re: Beginners Problem)

Well, if you're interested in some greater level of security where you
can decrypt, you might want to check out rijndael encryption (a type of
AES). Shane Kretzmann wrote a good rijndael php class that I think is
still on phpclasses.

It can be a bit difficult working with binary passwords, but if you
really need security, it seems like one of the better options.

I've been testing it myself, and the only issue I see is, of course:
keeping the key secret. I've been looking at a few methods, but I'm
always interested in others ideas on that issue.

Regards,

J. Hill



Cristian Vrabie wrote:
> It's true md5 is very old but is not completely obsolete. Used in
> combination with a random salt is still hard to decode.
> Maybe i won't use it as encryption for passwords any more but I would
> use it for digital signature or data integrity check.
>
> sublimino@gmail.com wrote:
>> Whilst reviewing my penetration testing I have noticed that both the
>> md5 and sha1 hashing algorithms are now considered less secure than
>> previously thought. Migration to sha256 is encouraged:
>>
>> http://www.owasp.org/index.php/Cryptography#Algorithm_Select ion
>>
>> Then I found the comment below from:
>>
>> http://uk3.php.net/manual/en/function.md5.php
>>
>> http://md5.rednoize.com offers a service to reverse engineer md5
>> hashes. Very useful if you got a md5 hash and need the plain text
>> string of this md5 hash. The website has currently over 47 million
>> hashes stored. It also has support for SHA-1 hashes.
>>
>> Consequently I shall be updating my authentication class.
>>
>>
>> Andy
>>
>>
>

--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php