me.mello Posted June 9, 2012 Report Share Posted June 9, 2012 THE AUTHOR of md5crypt(), which is used to encrypt passwords on some FreeBSD and Linux-based operating systems, has said it is no longer secure despite being recommended as a password hashing function.Poul-Henning Kamp implemented Ronald Rivest's MD5 one-way hashing algorithm in his md5crypt() function that has been in use on FreeBSD and Linux-based operating systems for many years. Now Kamp has been forced to say that md5crypt() is no longer secure Md5crypt Password scrambler is no longer considered safe by author — PHKs Bikeshed after he claimed that people were still recommending it for production use.While Kamp introduced extra functionality in md5crypt() to mitigate against brute-force attacks, processing power has increased to a point where Kamp said that md5crypt() is too fast on commercially available hardware. He told The INQUIRER, "[The] only problem with md5crypt is speed: it's too fast."Kamp also told The INQUIRER that it had been known for some time that md5crypt() could no longer provide adequate protection, but since people were still recommending the use of md5crypt() in production environments that forced him to make an announcement, urging people to stop using his creation.While MD5 was cracked using brute force methods back in 2005, Kamp included extra stages in md5crypt() such as salting to increase its computational complexity, and md5crypt() remained too processor intensive for brute force attacks for a while longer. However md5crypt() is the best part of two decades old by now and more computing power, especially with GPGPUs, has meant that hackers can execute md5crypt() on every combination of 10 letters and numbers in a matter of hours.All hashing algorithms eventually become susceptible to brute-force attacks due to advances in computational power. However the fact that Kamp has been forced to make such an announcement shows that bad practices are still far too common, and that can cost people in terms of security. Sursa: Even The Author Says md5crypt() Is No Longer Secure ? Packet Storm 1 Quote Link to comment Share on other sites More sharing options...
GarryOne Posted June 9, 2012 Report Share Posted June 9, 2012 Foarte interesant articolul, e sticky pe forum-ul celor de la phpacademy.orgCateva sintaxe elementare din articol:MD5 (Out dated)NO, NO, NO, NO, NO, MD5 is the worst thing for hashing sensitive data. This is almost as bad as using clear text, even with a Salt it's still horrible.I recommend you to stop using this.Actually MD5 is really a check-sum, I think of it as a alternative to the mt_rand() function.Dupa parerea autorului articolul Bcrypt este cel mai puternic sistem de criptare. A postat si o clasa cu Bcrypt.phpacademy.org | PHP Security: How to safely store your passwords | PHP/Web Development Help & Discussion Forum Quote Link to comment Share on other sites More sharing options...
bcman Posted June 9, 2012 Report Share Posted June 9, 2012 Da, singura metod? de a cre?te durata unui brute (în afar? de folosirea unei parole sigure) este aceea de a cre?te durata cript?rii, dar odat? cu aceasta va sc?dea ?i u?urin?a de a utiliza acea metod? de encrip?ie. În domeniul securit??ii legea guvernant? este: „cu cât un lucru e mai practic (aka user-friendly) cu atât e mai pu?in sigur ?i invers.” Quote Link to comment Share on other sites More sharing options...
M2G Posted June 9, 2012 Report Share Posted June 9, 2012 Just use SHA-2. Quote Link to comment Share on other sites More sharing options...
Bebe Posted June 9, 2012 Report Share Posted June 9, 2012 Multi dintre voi nu ati auzit de double hash.Exemplu:Avem parola 123456, se va hashui odata in e10adc3949ba59abbe56e057f20f883e si apoi in 14e1b600b1fd579f47433b88e8d85291 desigur se poate face de N ori treaba asta, mai dati brute force la astea. Quote Link to comment Share on other sites More sharing options...
Cril Posted June 9, 2012 Report Share Posted June 9, 2012 Multi dintre voi nu ati auzit de double hash.Exemplu:Avem parola 123456, se va hashui odata in e10adc3949ba59abbe56e057f20f883e si apoi in 14e1b600b1fd579f47433b88e8d85291 desigur se poate face de N ori treaba asta, mai dati brute force la astea.https://rstcenter.com/tutorial/md5-md5-md5-61.cgi (pentru o "intelegere" mai buna) Quote Link to comment Share on other sites More sharing options...
SticKyWoX Posted June 10, 2012 Report Share Posted June 10, 2012 Da, md5crypt(md5crypt()). Quote Link to comment Share on other sites More sharing options...
GarryOne Posted June 10, 2012 Report Share Posted June 10, 2012 Multi dintre voi nu ati auzit de double hash.Exemplu:Avem parola 123456, se va hashui odata in e10adc3949ba59abbe56e057f20f883e si apoi in 14e1b600b1fd579f47433b88e8d85291 desigur se poate face de N ori treaba asta, mai dati brute force la astea.Din contra, foarte multi au auzit si o folosesc spre nefericirea lor.E total gresit ce ai spus tu, vad ca ai primit si like-uri pentru asta, dar nu stiu de ce.Daca citeai articolul care l-am posat eu nu mai ziceai asta.Citez: Double Hash"This is one of the worst things you can do, it can actually create redundant hashes. You can also lower the security by double hashing, by creating redundant data, like so:sha1(md5($password)) Pointless..." Quote Link to comment Share on other sites More sharing options...
