[prev in list] [next in list] [prev in thread] [next in thread]
List: php-db
Subject: Re: [PHP-DB] Insecure Hashes (was Re: Beginners Problem)
From: "J. Hill" <jh () thefirm ! biz>
Date: 2008-01-23 5:01:05
Message-ID: 4796CA11.2080601 () thefirm ! biz
[Download RAW message or body]
Well, if you're interested in some greater level of security where you
can decrypt, you might want to check out rijndael encryption (a type of
AES). Shane Kretzmann wrote a good rijndael php class that I think is
still on phpclasses.
It can be a bit difficult working with binary passwords, but if you
really need security, it seems like one of the better options.
I've been testing it myself, and the only issue I see is, of course:
keeping the key secret. I've been looking at a few methods, but I'm
always interested in others ideas on that issue.
Regards,
J. Hill
Cristian Vrabie wrote:
> It's true md5 is very old but is not completely obsolete. Used in
> combination with a random salt is still hard to decode.
> Maybe i won't use it as encryption for passwords any more but I would
> use it for digital signature or data integrity check.
>
> sublimino@gmail.com wrote:
>> Whilst reviewing my penetration testing I have noticed that both the
>> md5 and sha1 hashing algorithms are now considered less secure than
>> previously thought. Migration to sha256 is encouraged:
>>
>> http://www.owasp.org/index.php/Cryptography#Algorithm_Selection
>>
>> Then I found the comment below from:
>>
>> http://uk3.php.net/manual/en/function.md5.php
>>
>> http://md5.rednoize.com offers a service to reverse engineer md5
>> hashes. Very useful if you got a md5 hash and need the plain text
>> string of this md5 hash. The website has currently over 47 million
>> hashes stored. It also has support for SHA-1 hashes.
>>
>> Consequently I shall be updating my authentication class.
>>
>>
>> Andy
>>
>>
>
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic