SitePoint Sponsor

User Tag List

Results 1 to 3 of 3

Thread: md5 encryption?

  1. #1
    SitePoint Member
    Join Date
    Oct 2009
    Posts
    7
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    md5 encryption?

    when saving user's passwords to a sql database, is it really that important to md5 them? if someone has access to the md5 hash code, couldn't they very easily decrypt it?

  2. #2
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,869
    Mentioned
    25 Post(s)
    Tagged
    1 Thread(s)
    md5 isn't encryption - it is hashing.

    Hashing is one way - millions of different original values can generate the same hash but if you make a minor change to the original (which could be so small as to be unnoticable) then you end up with a completely different hash.

    Hashes such as MD5 are primarily used for detecting changes to the original from which the hash was originally generated. Their use to hide passwords was not intended when MD5 was created.

    It has since been discovered that it is not all that hard to work out AN original value that will generate a specific MD5 hash. That doesn't mean that you have worked out what the persons password is just that you have found a value that will achieve the same result of getting into their account. To avoid this problem most systems now use what is known as a "salt" which is a value added to the password and included in the hash. The resultant hash is therefore completely different from the hash obtained without the salt and since the salt is added to the value before hashing it becomes necessary to not only find A value that produces the hash but a value that also includes the salt. That is a much more difficult task because all the effort that went into breaking the MD5 hash for unsalted input would need to be repeated for each salt value in order to break it for a given salt.

    Encrypting instead of hashing the password would be pointless since anyone with access to the encrypted copy would also have access to run the decryption module.
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">

  3. #3
    SitePoint Member
    Join Date
    Oct 2009
    Posts
    7
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    wow, thats amazing,
    you said that very well and i fully understand now.

    thanks so much


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •