FRIHOST FORUMS SEARCH FAQ TOS BLOGS COMPETITIONS
You are invited to Log in or Register a free Frihost Account!


hashing your passwords





Possum
Hi

What does the term "hashing your passwords" mean..

Here is an example

If you need an MD5 generator to hash your passwords

I've come across this term before but don't understand it..

Cheers Possum..
salman_500
hashing you passwords.... most probably, from the MD5 part, i think it means to encode your passwords, so that it is not readable.... like if u md5 a password : "pass" .. it will appear as random digits.... i dont exactly know how long... but will contain random letters and numbers.. and i dont think u can break it, coz you can't un-md5 a hashed pass .... maybe...

not really sure though... may be wrong... Razz
coeus
There are other hashings techniques as well, like SHA-1.
I use SHA-1 on one of my sites and it makes anything into a 40 character random digid/letter string.
like
"pass"
= w938o4ikjr7duej367ehyd87urj4kfiucmensbht
or
"this is a really long string that is way longer then 40 characters yet somehow beocmes a 40 string sha-1 hash"
= qkwlsihejdu895jtkkind903lekducmwisuzkr9d

now those arn't the actual hashes that come out, I made those 40 characters up, but you get the idea. A hash is a random generated string created by some formula to hide the original contents.

The result is a "secure" password. Meaning you can hash a string and match it up against the stored hash to see if they are the same, but it is so secure you can't unhash it to see what the original string was. Which means you can't retrieve passwords. So if you set up a login script you would have to reset the password instead of retrieve it.
vinx_18
coeus wrote:
There are other hashings techniques as well, like SHA-1.
I use SHA-1 on one of my sites and it makes anything into a 40 character random digid/letter string.
like
"pass"
= w938o4ikjr7duej367ehyd87urj4kfiucmensbht
or
"this is a really long string that is way longer then 40 characters yet somehow beocmes a 40 string sha-1 hash"
= qkwlsihejdu895jtkkind903lekducmwisuzkr9d

now those arn't the actual hashes that come out, I made those 40 characters up, but you get the idea. A hash is a random generated string created by some formula to hide the original contents.

The result is a "secure" password. Meaning you can hash a string and match it up against the stored hash to see if they are the same, but it is so secure you can't unhash it to see what the original string was. Which means you can't retrieve passwords. So if you set up a login script you would have to reset the password instead of retrieve it.



What is more secure; the md5 or the sha1? Or is there any other alternative to this?
powers1983
The MD5 returns a 32 character string and the SHA-1 returns a 40 character string so there is less chance of a collision with the SHA1.

As far as more secure as far as I know they are probably of comparable security because the sort of processing power and time required to break either is beyond the reach of your average home hacker (ie you need a supercomputer with a few weeks spare I'd have thought. Saying that a longer string means more computations are needed for a brute force attack.

David.
coeus
I am unsure which is more secure but like the poster above, sha-1 uses 8 more bits to encode, so it's prolly more secure. Also, md5 is mosre used so maybe people have figured ou to crack it, or get around it? I am personally sticking with sha-1
kv
Quote:

I am unsure which is more secure but like the poster above, sha-1 uses 8 more bits to encode, so it's prolly more secure. Also, md5 is mosre used so maybe people have figured ou to crack it, or get around it? I am personally sticking with sha-1


md5 is more used, true, but figuring out how to crack it -- not possible. md5 algorithm is an irreversible algorithm. That is if you have a key, even if you know the algorithm which generated the hash, you will not be able to get back the key. It is like you have a result of sum of two numbers and you know the method to get a sum but you will not be able to figure out the original numbers by using the result.

The only way you can "crack" md5 hash is to use brute force. But the time taken by brute force attach on md5 is so huge (thousands of years on a powerful comp running several parallel threads) that it becomes impractical.
salman_500
you want security....

well md5 a password... then sha-1 the putout.. and you get a extremely secure pass..lol...

the person like someone above said, would use a super computer to crack the sha-1 pass.. would actually never get the pass coz though its cracked, he would then end up with a md5 that would take its own time to crack... lol

and if your pass is something that controlls the whole planet... then md5, sha-1, md5, sha-1 ............ to make it unbreakable...lolx !
manum
dude hashing means irreversable encryption.....I guess
Fire Boar
salman_500 wrote:
you want security....

well md5 a password... then sha-1 the putout.. and you get a extremely secure pass..lol...

the person like someone above said, would use a super computer to crack the sha-1 pass.. would actually never get the pass coz though its cracked, he would then end up with a md5 that would take its own time to crack... lol

and if your pass is something that controlls the whole planet... then md5, sha-1, md5, sha-1 ............ to make it unbreakable...lolx !


Actually... that's not as practical as it sounds. I don't know why, but it just isn't.

Anyway, MD5 is fine for most purposes. It's great for passwords because you can put them into the database md5'd, then when someone's logging in you md5 their input and compare it to the md5'd password in the database.

Here's the great thing about hashes. Consider the following:

Code:
md5("Pillow");  // Returns "d9c182949229fe61594b6d77025359c7"
md5("Pillows"); // Returns "435421c7c2c9c0cefa0ab34b78de5fa0"
md5("pillows"); // Returns "9243d69ddeac95adbf19a0da14bf9af0"


As you can see, the three words are almost identical and yet the hashes generated are nothing like one another.
qscomputing
A hash function, such as md5, takes an input value and gives an output value - like an encryption function. The difference is that with an encryption function one can go back from the output value (the ciphertext) to the input value (the cleartext), whereas with a hash function, one cannot get the input value from the output value.

This has several uses. One is password encryption. The other is for checksumming files. As the hash value is short, no matter what length the input is, you can hash a large file (say a 700MB ISO image). You then provide the file for download AND provide the hash (called a checksum in this case). The user then downloads the file, checksums it himself and compares it to your value - if they match, the file that was downloaded is (very probably) the same as your original; if not, there was probably an error in the transmission, or someone malicious has intercepted the transmission and sent a different file instead.

http://en.wikipedia.org/wiki/Md5

HTH.
powers1983
salman_500 wrote:
you want security....

well md5 a password... then sha-1 the putout.. and you get a extremely secure pass..lol...

the person like someone above said, would use a super computer to crack the sha-1 pass.. would actually never get the pass coz though its cracked, he would then end up with a md5 that would take its own time to crack... lol

and if your pass is something that controlls the whole planet... then md5, sha-1, md5, sha-1 ............ to make it unbreakable...lolx !


I can't remember the name of the person but its in one of the other security threads but at a Computer Security convention the 'inventor' of various algorithms was giving a talk and he basically said "It is not your job to make secure algorithms, its mine so don't try and improve them by combining them as you are likely to make it less secure".

Anyway there is no point. The idea is that the cracker knows what you do with it and he knows the end result, so all he does is recreate your code and repeat.
So using 4 hashing functions won't solve anything cos he knows you use 4 hashjing functions and will do the same and so it will not take any longer to get to a brute force solution - HOWEVER by combing algorithms you may inadvertantly weaken the code (eg. hashing twice might always give the same result for the first, eighth and 19th character).

To add a bit of security you could use 'seeding' which is when you add a known value to the entered password BEFORE hashing. This stops a hacker who has a list of your hashed passwords from spotting people who have the same password (which if you have hundreds of users is quite likely) and then he only needs to crack one to access both.

You can seed with the username, date of birth, date registered - anything that will always be the same for that user.

Anyway, hope that helps.

David.
thinkingskull
message digest, is a number generated from a string of text. The hash is substantially smaller than the text itself, and is generated by a formula in such a way that it is extremely unlikely that some other text will produce the same hash value.

md5 means message digest 5
Agent ME
A common use for it is for storing passwords in a database.

Let's say you have a form on your website that prompts you for a password, like 'apple'. The password is stored in a database or code somewhere.

Now what if a hacker could view, but not edit, the code or database? Assuming he couldn't find any loopholes, he'd logically try to figure out the password from all of it. And he finds a piece of code, and he's got it.
Code:
$password = $_POST['pass'];
if($password=='apple')
{
    echo "You got the password right!";
} else {
    echo "WRONG!";
}

So now Jack the hacker has infiltrated your system. He's logged in as you, and has seen the secret message. Your website is in ruins now. You go back to repair it, but you're unable to prevent him from reading the code, but still need to be sure he isn't able to get the password.

This is where hashing comes in.
Hashing is a one-way function - you give it a piece of data, like the password, and it generates a 'hash', which is theoretically unique to that data. If the hashes match, then the data fed into the hasher must match. But there is no way to figure out or 'decode' the data from the hash.

Here's the new code.
Code:
$password = $_POST['pass'];
if(md5($password)=='ec9f516fc586990507203d2dad0e0359')
{
    echo "You got the password right!";
} else {
    echo "WRONG!";
}

No matter how he looks at the code, he's never going to figure out that the password is 'funny duck34'.
Dougie1
If you don't believe how secure it is try this with maybe a 4 letter password and see how long it takes to crack. I found this on the php site just before going to make one myself!

<?php
set_time_limit
(0);
$randpass = chr(rand()).chr(rand());
print
"RANDOM PASSWORD: $randpass";
print
"<br/>";
$password = md5("$randpass");
$guesswrd = "";
$tries = 0;
$start = microtime(true);
while(
$password != md5($guesswrd)){
$guesswrd = chr(rand()).chr(rand());
$tries+=1;
}
$end = microtime(true);
$time = $end-$start;
print
"GUESSED PASSWORD: $guesswrd";
print
"<br/>";
print
"It took $tries tries and $time seconds";
?>

I tried with 3 characters and got:

It took 2034943 tries and 15.9387509823 seconds

Imagine with a normal 8 character password though.

You can see how it can be brute forced though with a bit of effort.

I am not too sure about this script though as it guesses a totally random number which may not be an ascii character....

EDIT I have now created my own script which uses only capital letters small letters and numbers and the result for 3 characters was:

Password guessed correctly after 190821 attempts and 1.96541690826 seconds

You can see that brute force is possible.

See how secure your password is:

<?php
set_time_limit
(0);

function
randomkeys($length)
{
$pattern = "1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
$key = $pattern{rand(0,61)};
for(
$i=1;$i<$length;$i++)
{
$key .= $pattern{rand(0,61)};
}
return
$key;
}
if (isset(
$_GET['password'])){
$password = $_GET['password'];
$password_length = strlen($password);
}
else
{
$password_length = 6;
if (isset(
$_GET['length'])){
$password_length = $_GET['length'];}
$password = randomkeys($password_length);
}


echo
"Password is: $password ";
$password = md5($password);
$attempts = 0;
$start = microtime(true);
while (
$password != $guess){
$guess = md5(randomkeys($password_length));
$attempts++;
}
$end = microtime(true);
$time = $end-$start;
echo
"Password guessed correctly after $attempts attempts and $time seconds";
?>
Med365
Hello

PHP has built-in functions to encrypt a password. It seems Dougie1 used the md5 function.

But Dougie1, if you want something realy secure, you shouldn't use the GET transmission method to transmit the password via the formular. By this way the pass appears in the adress bar and it appears CLEAR !

Use POST Wink

The same code using POST (so the pass is hidden during transmission) :

Code:

<?php
set_time_limit(0);

function randomkeys($length)
{
$pattern = "1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
$key = $pattern{rand(0,61)};
for($i=1;$i<$length;$i++)
{
$key .= $pattern{rand(0,61)};
}
return $key;
}
if (isset($_POST['password'])){
$password = $_POST['password'];
$password_length = strlen($password);
}
else
{
$password_length = 6;
if (isset($_POST['length'])){
$password_length = $_POST['length'];}
$password = randomkeys($password_length);
}


echo "Password is: $password ";
$password = md5($password);
$attempts = 0;
$start = microtime(true);
while ($password != $guess){
$guess = md5(randomkeys($password_length));
$attempts++;
}
$end = microtime(true);
$time = $end-$start;
echo "Password guessed correctly after $attempts attempts and $time seconds";
manav
A hash (also called a hash code, digest, or message digest) can be thought of as the digital fingerprint of a piece of data. You can easily generate a fixed length hash for any text string using a one-way mathematical process. It is next to impossible to (efficiently) recover the original text from a hash alone. It is also vastly unlikely that any different text string will give you an identical hash - a 'hash collision'. These properties make hashes ideally suited for storing your application's passwords. Why? Because although an attacker may compromise a part of your system and reveal your list of password hashes, they can't determine from the hashes alone what the real passwords are.
There are a number of strong hashing algorithms in use, the most common of which are MD5 and SHA-1. Older systems - including many Linux variants - used Data Encryption Standard (DES) hashes. With only 56 bits this is no longer considered an acceptably strong hashing algorithm and should be avoided.
Example code
Code:
<?php
$string = 'PHP & Information Security';
printf("Original string: %s\n", $string);
printf("MD5 hash: %s\n", md5($string));
printf("SHA-1 hash: %s\n", sha1($string));
?>

Output
Original string: PHP & Information Security
MD5 hash: 88dd8f282721af2c704e238e7f338c41
SHA-1 hash: b47210605096b9aa0129f88695e229ce309dd362
deathseaker
Hashing a password or file or anything means to encrypt it with an algorithm that is NEARLY 100% impossible to decode unless u are realllllly good at math lol (As in a freakign genius)
deathseaker
forgot to mension when you hash you cannot unhash it,, its stuck liek that unlike base64_encode where u can just do base64_decode..
Dougie1
@ Med365. My script is to try and decrypt a password therefore it doesn't need to be secure so GET data is fine.

@ deathseaker. That is why the passwords are so secure. You can't decrypt them. This is why a database attack would be less serious.

Anyway I think the question has been answered. Lets let the topic die.
gerpg
if your'e going to hash passwords md5 is by far the best option however make sure that you uppercase or lowercase the variable from a login form so that the password is not case sensitive, some people that use the internet still haven't grasped the case sensitive part and you won't be able to change it once you have a password in the database thats uppercase.

Louis.
Dalv87
vinx_18 wrote:
Or is there any other alternative to this?

There are a bunch of others, like SHA-384. I don't know what is most secure though.
http://en.wikipedia.org/wiki/SHA or
http://en.wikipedia.org/wiki/Category:Cryptographic_hash_functions
gerpg
md5 is more than capable of encoding passwords unless your'e planning on hosting a multi-million dollar site and some hacker is willing to spend 6months figuring out how md5 works, no1 really cares about decypting passwords, its easier to place a trojan keylogger on the local machine and just wait for the person to enter their password.


Louis.
Related topics
Choosing secure passwords
MD5 Hashing
Lost passwords
Who knows Knight online passwords
Secure Login on the first page without https://
Firefox saved passwords
Making Da passwords Case sensitive
No website is secure from this man
PHP Hashing and Salting
Encryption
Is this something frihost should be worried about.
HASHING
Bad Passwords
Simple PHP Login Script
Reply to topic    Frihost Forum Index -> Scripting -> Php and MySQL

FRIHOST HOME | FAQ | TOS | ABOUT US | CONTACT US | SITE MAP
© 2005-2011 Frihost, forums powered by phpBB.