Originally Posted by noodles
hm everyone here says, you shouldn't use md5... but why? isn't it secure?
|
As many above said, you can simply use a rainbow table to find the corresponding password to that specific hash.
MD5 is also such a quick algorithm that it borders on when you really have to use
rainbow tables and when you can use a brute-force attack.
http://eprint.iacr.org/2006/105
However, as Phaaze said. You could use
key strengthening.
I can't understand why you guys still argue about MD5. I don't usually deal with PHP; but just a quick
search gave me this code snippet:
PHP Code:
$phrase = "Hello World";
$sha1a = base64_encode(sha1($phrase));
$sha1b = base64_encode(bin2hex(mhash(MHASH_SHA1,$phrase)));
$sha256b= base64_encode(bin2hex(mhash(MHASH_SHA256,$phrase)));
echo ("SHA1..:" . $sha1a . "\n");
echo ("SHA1..:" . $sha1b . "\n");
echo ("SHA256:" . $sha256b . "\n");
So I mean, what's so troublesome about that, that you can't use it? It's just a line of code and then you got your SHA-2 hash ready to go! Add a known salt to that, for example a large random number that you store in the column next to the password column and concatenate to the password before hashing it all. Then brute-force attacks can only be done on one password at a time, because all passwords use a different salt. This is what makes the time required to find the password increase so much that it becomes impractical to try, just using the hardware of today.
Although I'm wondering what
quantum computing will turn out like and what it will do to the area of computer security.
Lastly, hashing != encryption, because it's irreversible. Encryption is stuff like blowfish and RSA.