bwoogie Member Posts: 380 From: kansas usa Registered: 03-12-2005 |
Hey all, I need help coming up with a solution for my site. I need to know how to secure/encrypt my member passwords. Is md5 secure enough? A lot of people use it, but I've heard its just as good as sending plain text around... But I've seen it used with algorithms that used the time and or date to check stuff, and whatnot. Anyways, I just need some opinions and suggestions on making my site as secure as possible. ------------------ |
crazyishone Member Posts: 1685 From: Registered: 08-25-2004 |
MD5 is good, but it can be fairly easily cracked via Brute Force. Try writing your own encryption algorithm and see how it goes. >:F ------------------ |
bwoogie Member Posts: 380 From: kansas usa Registered: 03-12-2005 |
heh, see how it goes? like see if it gets hacked into within the first week? thats the thing, im not a hacker so i dont know what they know so i can better secure myself. anyways, brute force is basically when they use a dictionary and go through a list of words, right? ------------------ |
CPUFreak91 Member Posts: 2337 From: Registered: 02-01-2005 |
quote: Md5 is ok... but if it's possible I would encrypt it with SHA, AES or Blowfish. ------------------ |
samw3 Member Posts: 542 From: Toccoa, GA, USA Registered: 08-15-2006 |
Yes, brute force is where the hackers just guess at passwords. One way to slow that down is to use lockouts or captchas. MD5 and SHA1 are one way hashes. They destroy the password but the result is the same. So if you use them you will not be able to "retrieve" the password. You can only compare two hashed password and see if they are equal. MD5 is more hackable because its possible to find a collision quicker. The algorithm is (slightly) flawed. AES and Blowfish are encryption routines. Which means of course that the data needs to be be decrypted before you can compare anything. That can be a scalability issue. (too much cpu) There is no perfect security solution. Even if you use the best algorithms, your users could use a password like "jesus", and you could get hacked. (At least that particular account) Another thing to think about is, "How hackable am I?" in the sense of "Am I a target? Most hackers will not even bother with a website that they cannot get credit card numbers, or some financial or other advantage(like bandwidth or filespace). If you have time read this article on why Security is Hard: But in a nutshell SHA1 over MD5 for hashes and AES over Blowfish for encryption and use large keys with numbers generated randomly. i.e. use http://www.random.org/ ------------------ [This message has been edited by samw3 (edited March 09, 2007).] |
spade89 Member Posts: 561 From: houston,tx Registered: 11-28-2006 |
are you talking over the net??or for storage?? for storage i would recommend rsa or the xor encryption(i wrote an article on ccn on that), over the net use either blowfish or sha. ------------------ Jesus answered, "I am the way and the truth and the life. No one comes to the Father except through me. |
bwoogie Member Posts: 380 From: kansas usa Registered: 03-12-2005 |
Wait a second. What good is salt for? When you enter your password I (the script) have to add the salt on to the password to compare with the encrypted password in the database (which is "md5(password) & md5(salt) = encrypted password").. if they use brute force the salt will just be added on to their guessed password.
p.s. sorry if this post sounded scattered... im trying to figure this out in my brain as i type it out. you'll find i do that a lot ------------------ |
MastaLlama Member Posts: 671 From: Houston, TX USA Registered: 08-10-2005 |
what are you writing this in? |
bwoogie Member Posts: 380 From: kansas usa Registered: 03-12-2005 |
I'm writing this in php. ------------------ |
tehriddler Junior Member Posts: 8 From: Portland, Oregon Registered: 05-07-2007 |
Hello everyone, I'm somewhat new. I am actually trying to figure out/have figured out the same thing your talking about. One thing that I've seen is the PHP hash(); function. I actually haven't used it..yet, but I'm sure you can find a lot of information about it in the manual and online. What I'm doing is for the login system, the user type's in their username and pass. They are then BOTH: sha1(md5(USER and PASS go here))(will make it hash() soon because you can use sha256). Then the script checks the database for user = $user and pass = $pass of course. (They will of been submitted in the same way as they were just encrypted) Hope this helps brother. Let me know if you come up with anything. God Bless! |