MD5 has been on its last legs for some time - now it is 'offically' dead. A C program has been released that can find the collitions of a given MD5 Hash within just 45 minutes on a decent computer. MD5 has been proven to be a weak algorithm for some time now - infact, it had been banned from microsoft in support of better algorithms like SHA.
If you are building a new application, think twice before using MD5 to encrypt the passwords - use SHA instead. PHP has a function sha1() that can be used to find the hash of any string. Example...
$encrypted_password = sha1($_POST['pass']);
MySQL also has a SHA function - you can use it like
mysql> SELECT SHA1("abc");
-> 'a9993e364706816aba3e25717850c26c9cd0d89d'
# OR from PHP as
mysql_query("INSERT INTO users(login,password)
VALUES('" . addslashes($_POST['username']) . "', SHA1('" . addslashes($_POST['password']) . "')");
# OR as
$sql_handle = mysql_query("SELECT user_id FROM users
WHERE user_login='".addslashes($_POST['username'])."'
AND user_password=SHA1('".addslashes($_POST['password'])."')");
If you want to find the password that was encrypted using MD5, you are better of using the Online Hash Database. This is a database having a huge number of MD5 Hashes and its plain text counterparts. So if you input a MD5 hash, it will search its database to find which text has the given MD5 hash. This system will be defeated if you use a salt when creating the hash.
0 Comments:
Post a Comment