shrek1609 Posted June 21, 2009 Posted June 21, 2009 Ok this is just a thought i have had, one of the most common hacks/exploits is the obtaining the md5 hash from the database via certain files within mccodes... Now as i understand it MD5 is not reversable however there is away to find passwords that have been encrypted via MD5 (for obvious reasons i wont go into that more) now i've just been playing with this method of cracking MD5 hashes and found that if it was a letters only password i could reverse the MD5 hash and gain the password... however if the password contained both letters and numbers then i couldn't... So my thought is for ADDED security would it not be an idea for me to make a mod that only allows passwords that have to contain x amount of letters and x amount of numbers ? Now i know one reply will be secure properly and no need for this, BUT surely this would be ADDED protection ? views and opinions please... Quote
Haunted Dawg Posted June 21, 2009 Posted June 21, 2009 Re: Passwords and MD5 encryption query... It would be added protection. However there is faster way's such as sha1 or sha256.. check out those, they still have not been decrypted. Quote
Lithium Posted June 21, 2009 Posted June 21, 2009 Re: Passwords and MD5 encryption query... As of md5 yes it is reversible ;) Also as HD says, you have faster libs, like sha1 and sha256 (the given examples), though you can keep the md5 and make it practically "irreversible" using one or two salt's (random keys to add to md5 encryption to make it harder to read) an example: Regular encryption seen on MCC Password = Password (MD5 = dc647eb65e6711e155375218212b3964) Salted using a second parameter (email addy) Password = Password (MD5 = dc647eb65e6711e155375218212b3964) Email = [email="[email protected]"][email protected][/email] Result: md5("[email protected]"."Password") Result hash: 5b0181c91ed60b3dcbf03b0f6ba61d77 As you can see a completly different result, and the salt "key" (email addy) becomes basicly an unique key to every single user as there are no 2 equal email addy's. Though you can expand this to basicly what you want, or even use an encryption that you create (these are always the best to use) Quote
Jeff Posted June 21, 2009 Posted June 21, 2009 Re: Passwords and MD5 encryption query... As of md5 yes it is reversible ;) Md5 is not decrypted or reversible because a single md5 hash could be several things (known as collisions), its a one way hash and not encryption. Although you cannot decrypt it or prove what it original was you can find a possibility using rainbow tables if you can find a match. Salting makes this allot harder to find a match and its best to use less common characters as these are less likely to be in a rainbow table and if you can make the salt different for each user thats great as well. You might want to consider using other methods of hashing. For a list of some you can get a list from the code: <?php print_r(hash_algos()); ?> Things like sha256, sha384 and sha512 are larger so therefore give you less chance for collisions. Also because they are larger they take longer to run and more space to store so rainbow tables would be much harder and take much longer to create. Quote
shrek1609 Posted June 21, 2009 Author Posted June 21, 2009 Re: Passwords and MD5 encryption query... thanks folks lot to think about there, i do like the idea of using the email addy as an additional key for the encryption with md5 and i would have thought not too hard to code in.... Quote
AlabamaHit Posted June 22, 2009 Posted June 22, 2009 Re: Passwords and MD5 encryption query... Every hash i have ever check on a rainbow table (Excluding good passwords ofcousre) I have got the result. Now You might not consider that cracked/reveresed/decrypted. But it's obviously......umm.....Getable lol I know md5 is "uncrackable" becuae of randoms or someething like that. But that is not true even if its not reversible. If you can use a rainbow table...I would personally call that reverisible. For you get the decryption. So...I say md5 is "crackable" (Don't smash me to hard. I know I don't know all the facts on this. Just my opinon)> Quote
shrek1609 Posted June 22, 2009 Author Posted June 22, 2009 Re: Passwords and MD5 encryption query... Every hash i have ever check on a rainbow table (Excluding good passwords ofcousre) I have got the result. Now You might not consider that cracked/reveresed/decrypted. But it's obviously......umm.....Getable lol I know md5 is "uncrackable" becuae of randoms or someething like that. But that is not true even if its not reversible. If you can use a rainbow table...I would personally call that reverisible. For you get the decryption. So...I say md5 is "crackable" (Don't smash me to hard. I know I don't know all the facts on this. Just my opinon)> yeah this is what has led me to posting this, this is the way i was obtaining the passwords so technically i guess not reversable but as you say getable... Quote
Haunted Dawg Posted June 22, 2009 Posted June 22, 2009 Re: Passwords and MD5 encryption query... We have decrypted 826,549 unique MD5 hashes since December 2005. Would you have 830k (+-) encrypted out there rather than having a couple? ;) Quote
Jeff Posted June 22, 2009 Posted June 22, 2009 Re: Passwords and MD5 encryption query... A hash is truly one way and not a form of encryption and its because of this that it cannot be reversed or decrypted. You can use rainbow tables to find a possibility but that is not reversing or decrypting. I also say a possibility because of collisions, you cannot prove it was the original value because there is no way to prove it is not a collision. If we are talking about password security this is a problem and something you may want to think about. HD you said about 830,000 being unique but you cannot theoretically prove they are unique unless you could test all possibilities, but there are an infinite number of inputs while only limited outputs. The md5 has is outputted as a 32 character string with 16 possibilities for each character so: 1632 = 3.40282367 ? 1038 Yet if we have a 9 character password and for this example on only use 62 character possibilities (26 upper + lower case letters + number) and don?t include any other characters or symbols just to make the example easy to understand. 629= 1.35370865 ? 1016 That may not seem like much but when but thats without any special character or symbols and only a 9 character password. If you?re going to start having changing salts you need to through that into the mix also. Taking into account the size of the characters used (only 62 by 9) its easy to see in how a real situation you will easy have many more possible inputs that outputs making collisions inevitable and there cannot be a hash proven to be unique. Back to the bit about security and you would need to use salts to help improve security against rainbow tables or a better for of hash with more possible outputs (and therefore reducing the collision possibilities) such as SHA-256 or SHA-512. Quote
shrek1609 Posted June 22, 2009 Author Posted June 22, 2009 Re: Passwords and MD5 encryption query... hmm so what would you say would be better for security, md5 + salts or sha 256/512 bearing in mind i have seen sha rainbow tables (not used so no idea if they are any good) Quote
Zeggy Posted June 22, 2009 Posted June 22, 2009 Re: Passwords and MD5 encryption query... regardless of what algorithm you use, if you salt it well you should have no problems. if you salt it appropriately, your rainbow tables won't do any good. but still, use a more modern algorithm to avoid problems with collisions. Quote
Jeff Posted June 22, 2009 Posted June 22, 2009 Re: Passwords and MD5 encryption query... so what would you say would be better for security, md5 + salts or sha 256/512 I would say sha 256/512 + salts, although sha 512 may be a bit overkill for a small online game. Sha rainbow tables are much less common and more advanced sha hashes like 256/512 would be much more time and resource consuming as mentioned in a previous post making them harder to produce. Quote
shrek1609 Posted June 22, 2009 Author Posted June 22, 2009 Re: Passwords and MD5 encryption query... thanks for that :) i'll have a go at coding this together this week and will post the code if i get it working well :) Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.