Site Moved

This site has been moved to a new location - Bin-Blog. All new post will appear at the new location.


MD5 is Dead - use SHA1

MD5 has been on its last legs for some time - now it is 'offically' dead. A C program has been released that can find the collitions of a given MD5 Hash within just 45 minutes on a decent computer. MD5 has been proven to be a weak algorithm for some time now - infact, it had been banned from microsoft in support of better algorithms like SHA.

If you are building a new application, think twice before using MD5 to encrypt the passwords - use SHA instead. PHP has a function sha1() that can be used to find the hash of any string. Example...

$encrypted_password = sha1($_POST['pass']);

MySQL also has a SHA function - you can use it like

mysql> SELECT SHA1("abc");
    -> 'a9993e364706816aba3e25717850c26c9cd0d89d'

# OR from PHP as 

mysql_query("INSERT INTO users(login,password) 
VALUES('" . addslashes($_POST['username']) . "', SHA1('" . addslashes($_POST['password']) . "')");

# OR as

$sql_handle = mysql_query("SELECT user_id FROM users 
WHERE user_login='".addslashes($_POST['username'])."' 
AND user_password=SHA1('".addslashes($_POST['password'])."')");

If you want to find the password that was encrypted using MD5, you are better of using the Online Hash Database. This is a database having a huge number of MD5 Hashes and its plain text counterparts. So if you input a MD5 hash, it will search its database to find which text has the given MD5 hash. This system will be defeated if you use a salt when creating the hash.

Filed Under...
Categories :
Technorati Tags: