What Is Md5 For?

[MrFish]

What is MD5 used for? Isn't it possible to reverse and MD5 encryption regardless of what the "salt" is? And I'm not sure how a hacker would get a hold of it in the first place? And if MD5s aren't reversible, and hackers can get a hold of it, what should I even use the MD5 for? So I encrypt a password, then check the database for an hash and username match instead of a password and username match?

[justsomeguy]

MD5 is one type of hash. Frankly, there's no reason to use MD5, it's old and there are newer and stronger hashes. Hashes can't be reversed, that's one of the characteristics which make them hashes (part of the definition of a hash is that there is no algorithm to transform the hash to the original data). Here's a small example of a hash, this is a 1-byte hash. Assume you want to hash words, and you want to use a 1-byte hash. One possible algorithm would be to take the ASCII value of the first character, plus the ASCII value of the last character, and take the remainder after dividing by 8 (the modulus). That gives a number between 0 and 7 (1 byte).So any two words which have the same first and last characters would have the same hash. There's no algorithm to map any value 0-7 to a single word, each value could have an infinite number of words which map to it.You could implement a 1-byte hash like that to secure passwords, but in order to hack into someone's account you would only need to try 8 passwords in order to have at least one of them generate the same hash. When you get 2 values which generate the same hash that's called a collision.MD5 is a 32-byte hash, it has 128 bits. SHA-1 is an algorithm which generates a 160-bit hash. The SHA-2 family has algorithms like SHA-256, SHA-384, SHA-512 etc which generate larger hashes. Larger hashes are generally harder to break, because in order to break a hash you need to find a collision. The time that it takes to find a collision for MD5 isn't all that long. 20 years ago it took a while to crack MD5, but not any more. US-CERT of the U. S. Department of Homeland Security said MD5 "should be considered cryptographically broken and unsuitable for further use."A salt is used to provide another level of randomness with hashes. If you're going to break a salted hash, you need to know what the salt was and how it was added to the original in order to be able to find a collision which would produce the same hash.

[jeffman]

The encryption of passwords can be thought of as "belt-and-suspenders" security. Under normal circumstances, having the password hashed on the server does not increase security. Anyone who has social access to a password (like asking you for it or breaking into your office) or packet-sniffing access will be able to use your account. So the first two lines of security are for developers to use HTTPS for sensitive communications, and for users to understand their own security risks. None of this involves hashing.But now imagine a hacker breaks into a server. The most dangerous threat here is not an evening's access to everyone's credit card information and so on (though, yeah, it's a pretty terrible thing) but continued access, even after the original security leak has been closed by admins. If a cracker gets a plain text version of your password, continued infiltration through the normal login system could be an ongoing nightmare for the user and website both. A real slick hacker won't even disturb the system during the initial break-in. He'll just use login info to keep messing with your life.) But if he gets a hashed version of the password, then the normal login system is shut off as a path of infiltration. (Assuming the developers have protected against things like sql injection.)

[Synook]

Also, attacking a password repository can allow a hacker to gain access to all passwords on a system - and often, since people don't really use a different password for everything - access to people's other services as well. That's what happened to MediaTemple recently - they weren't storing the passwords as irreversible hashes - just as encrypted values. Someone broke into their DB and managed to obtain a lot of people's passwords, and proceeded to compromise not one, but dozens of sites at once.

[jeffman]

Yeah. Something we don't talk about enough. A lot of people on the board who keep databases are basically hobbyists. It's easy to treat it all like a game.BUTIf your user database contains any identifying information, like an address, phone number, email address, etc. , you've got a RESPONSIBILITY to keep passwords secure. Because users are fools, as Synook pointed out, and they do recycle passwords.Being able to figure out who a person is in real life, and having one of their passwords, is BAD NEWS.A cracker could get into the database of an anime fan site (small potatoes, right?) and get enough data to login to someone's paypal account.So even a little hobby site should really hash passwords.