md5 is reversible!!

I thought md5 was 1-way encryption but today i visited a website and got shocked how easily it is to reverse it...i just clicked the button and the original string appeared. (probably the site has a generous md5 key database)

omg..thats all i've used up to now...

What should i use then?

 

That is not decode, only dictionary. Most famous is http://gdataonline.com with more than 1,133,761,543 words.
To anti that, use alphabets + digist + some special in your password and length of password. Ex: Kara)$oke12
Hard to discover

 

It's called a rainbow table. MD5 is irreversable, but if someone has a database of enough known hashes the standard function can become useless. To get around this, always add a salt to your hashes. This can be something static like:

MD5(string_to_hash . hu7f889r4hfioewr)

or can be something dynamic like:

MD5(string_to_hash . hsah_ot_gnirts)

Either way makes a cracking table useless.

 

yay good idea

 

OR MD5(base64_encode("YOUR_REAL_PASSWORD"))

Because MD5("YOUR_REAL_PASSWORD") is easier than MD5(base64_encode("YOUR_REAL_PASSWORD"))

 

Best way to hash passwords is to give it a little salt!
For example:
sha1(md5(md5($password)+$registrationdate)+$salt);

Just making it harder to get

 

simply use salt. Salted hashes are terribly hard to crack considering you can't use rainbow tables

 

sha-1+salt is the new md5 imo... i dont know why we still use md5's

 

I have to second yah0m on this one. MD5 is a great hash function but but it is not useful for cryptographic purposes.

There was a good discussion of this on Matasano's website recently. http://www.matasano.com/log/958/eno...u-need-to-know-about-secure-password-schemes/

 

if the attacker knows you are doing this then there is no difference is security. base64 is easy to calculate and consume very little cpu time in comparison with md5

 

Here's what we should do:

actual password = server_salt + user_password);

The server_salt will be kept outside of the root directory of server or authenticaion server on DMZ.

In this way, even if attacker can obtain user password through SQL injection, he won't be able to login because he wouldn't know the actual password.

With SQL injection, he can only know the password hash, which is a combination of server_salt + user_password.

To be able to crack, he must know server hash. We must also disable mysql-loadfile=0 in my.cnf.

 

Yea its not actually reversable they are creating a datbaese by entering words

 

MD5 as said above can not be decoded,

What they have done is probably got a database full of words, looped them running through md5, and attached the md5 string to that word

Then you query the database looking for your md5 string and bang if a match has been found your returned with the original. You can decode any encryption this way, even if you need a string to decode it like crypt.

 

One thing to remember is that with crypt or any reversible encryption, if the key is known, then anything encrypted is known. With a hash like md5, sha1, there is no reversal, so if someone matches one hash, it takes the same amount of time, or more, to match even a single other. This is one of the reasons why hashing is a better idea for passwords.

Just adding a random string of 7 or 8 characters as a salt will completely negate any cracking table.

 

Its breakable, and guess what using PS3. Search google for more info.

 

You are refering to this http://www.pcworld.com/article/140064/hacker_uses_sony_playstation_3_to_crack_passwords.html i guess

 

The cool thing is, you can change your Wordpress password via phpmyadmin and when you login again it automatically adds the salt.

So you can use a standard md5 Hash encrypter to generate new WP passwords without worrying about the salt.

 

Wait, what? How in the world of all that is holy is that considered "safe" in any way? If anyone can redo the password with a simple MD5hasher, and then login and get any type of security (yeah, right) generated for them on login, what's from stopping anyone from doing this? All they'd need is access to the database (which, given that it's Wordpress, isn't that hard to get) and then insert the new password on say the user-accounts with an id of less than 20 - the chances of one of those being an admin-account is pretty big. If they don't need to know neither the salt nor the type of encryption in use, that makes for a HUGE security hole. (At least if that wasn't the case, even if they get hold of the database, there's no way for them to access the account, simply because they can't decipher the password stored).