So what is all this talk about different types of hashing? Like bcrypt? What am I risking if I use md5 over sha256? Easier bruteforcing?
Non Click related - PHP woes :(!!
Welcome to our brand new Clickteam Community Hub! We hope you will enjoy using the new features, which we will be further expanding in the coming months.
A few features including Passport are unavailable initially whilst we monitor stability of the new platform, we hope to bring these online very soon. Small issues will crop up following the import from our old system, including some message formatting, translation accuracy and other things.
Thank you for your patience whilst we've worked on this and we look forward to more exciting community developments soon!
Clickteam.
A few features including Passport are unavailable initially whilst we monitor stability of the new platform, we hope to bring these online very soon. Small issues will crop up following the import from our old system, including some message formatting, translation accuracy and other things.
Thank you for your patience whilst we've worked on this and we look forward to more exciting community developments soon!
Clickteam.
-
-
There are legitimate reasons to use MD5, just not for security.
For example, if you want to check the integrity of a file, for instance to see if it got corrupted during downloading, it's perfectly fine to use MD5, since it's pretty fast and the generated hash is sufficiently resistant to collisions.
If you hash passwords with MD5, though, even with salting, you expose your applications and users to hackers. It's better than storing plaintext passwords, that's for sure, but the efficiency of md5 as a deterrent are surprisingly small.
Stick with strong algorythms, and be on the lookout for new ones. With quantum computers (there are actual working quantum computers, you can even buy them) expected to surpass normal computing within a few years (<10 years last I've heard), sha256 is not likely to remain a good cipher for very long either.
Sha256 is fine for now (and probably for the next ~6 years) though.
-
If you hash passwords with MD5, though, even with salting, you expose your applications and users to hackers. It's better than storing plaintext passwords, that's for sure, but the efficiency of md5 as a deterrent are surprisingly small.
Would it be too much to ask how? Not that I'm in any way disagreeing I just want to understand it better. Security has always been a big mystery to me because there's only so much people can say about it without telling you how to compromise securities. Which isn't what I'm really asking I guess - I'm more just confused why a different hash makes something more secure. Like, is it harder to decrypt? Why? Or are there more collisions?I guess I should really try researching on my own - I haven't done like any googling even. I'll stop hijacking this thread though. Pm me if you wish to continue
-
If you have a list of unsalted hashes stored in a compromised database (you just apply the hash algorithm to the password) then you can use well known lookups as lots of people use an easy to guess password there are lists of the hash you get for millions of common passwords (ie every word in the dictionary, football team names, people and place names etc)
You might not uncover every users password in the database with such dictionaries but you will get a lot and likely they used the same password on other sites too hence the issue so just a plain hash with any algorithm is not enough your only going one step beyond storing them as plain text.
If the site applies a salt to the password (typically append some unique data before / after the password) before hashing the these lookups will not work and so to compromise the 'hacker' would then need to use brute force methods which depending on the strength of the algorithm is hopefully going to take long enough to crack to make them not bother.
Participate now!
Don’t have an account yet? Register yourself now and be a part of our community!
