Member Avatar for feoperro

Hi,

I'm currently looking at password hashing and from what I've read so far, it seems pretty pointless.

I read this article which recommends using MD5 or SHA-1, however I Googled for decrypters and found them witin the first 3 results on Google. I don't quite understand the purpose of encrypting if it can just as easily be decrypted again.

Can someone please explain why one would need password hashing and tell me if there's an encryption that cannot be decrypted?

Thanks,
Ashton.

Member Avatar for diafol

hashing is different to encrypting. IMO The hashing is there to protect your pws in case somebody gets access to the db details. They get the hash, but can't get the actual pw, so they can't log in as you.

Hashing is a one-way algorithm it can not be run in reverse.
Encryption is a two-way algorithm where a string and be encrypted and then decrypted.

md5 and sha1 can't be decrypted, but what those sites do, is maintain giant databases of common lookups. So if you make your password 'password' the md5 will always be '5f4dcc3b5aa765d61d8327deb882cf99' which means you can store that and you know that the hash always (minus collisions) matches password.

With hashes it is recommended to always salt the hash with additional random characters that is unique to your site. So if your salt is "!@#$VSA!@#adjk_48ashkj345" no matter how weak someones password is, by default it will be as strong as the salt.

e.g. A user's password of "password" is now "!@#$VSA!@#adjk_48ashkj345password!@#$VSA!@#adjk_48ashkj345" before it gets hashed. This prevents the hashes from being easily matched if your db is compromised, but does nothing if your site is exploited from the frontend where an attacker throws common works at your login fields. This is where rate limits and failed login checks come into play.

This is also a place where it is suggested to make logging in as slow as possible by doing thousands if not hundreds of thousands of hash calculations so you become a much less viable target to attack with automation.

Member Avatar for feoperro

Awesome post, thanks.

So are there open source systems out there that already do the:

thousands if not hundreds of thousands of hash calculations

and that are trusted as "Secure"?

Member Avatar for feoperro

Good stuff, Thanks

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.