PHP Security

[cipcip]

Which password encryption is best for security ? I have read that md5 is not that good... Is it sha1 ? Or which one ?

Thanks!

 

[Patrick.S]

(please delete post)

 

[cipcip]

Thanks

 

[Patrick.S]

If you want some hash methods I use feel free to PM me

 

[cipcip]

I found something about sha512, which is on 512 bits and has about 120 characters. How about this one ?

 

[Patrick.S]

Also know as SHA2 (just a note).
Seems to be the best if you plan to do a plain hash.
But requires more processing power(according to wikipedia) and runs best on a 64bit system.

 

[Barrucadu]

The totally best way would be to make your own encryption system (which wouldn't be to hard).

No. That is a terrible idea, do not do that. Use sha (with a salt, of course), it is far better than anything you would create.

 

[Kate]

http://www.openwall.com/phpass/

 

[Peter]

From what I have seen it's better MD5 but still not the best.
You should Hash it (whether random or pre-defined).
The totally best way would be to make your own encryption system (which wouldn't be to hard).

Developing your own encryption is not the best option. Proper encryption requires a very good understanding of mathematics and prime numbers. You need to ensure that you minimise the potential for example of collisions.

Use a currently accepted encryption algorithm and ensure you use salt when encrypting. The algorithm you should choose depends on the trade-offs between desired security and acceptable processing time.

 

[abc123ben]

Developing your own encryption is not the best option. Proper encryption requires a very good understanding of mathematics and prime numbers. You need to ensure that you minimise the potential for example of collisions.

Use a currently accepted encryption algorithm and ensure you use salt when encrypting. The algorithm you should choose depends on the trade-offs between desired security and acceptable processing time.

Definitely agree with Peter. Use a popular encryption algorithm such as MD5 or SHA.

When people say "use salt" they're referring to adding extra arbitrary text to the actual value you wish to encrypt. For example:

<?php
$salt = "H-w_VJe2_u";
md5($password); // no salt
md5($salt + $password); // with salt
?>

Because, obviously, the MD5 value with and without salt will be different. And even though you'd encrypt passwords one-way, you can compare MD5 values and if the password is obvious or is a dictionary word (as an example), two values compared means you can easily figure out the plain-text value of an encrypted password.

There are many websites that exist which has a large database of the decrypted value of encrypted MD5 values. And so if your site's database is compromised, if you don't add a salt to the passwords in your database, many of your user's encrypted passwords will likely be already listed in a database where the MD5 value can be compared because the password has been submitted to such a database before.

 

[Peter]

Because, obviously, the MD5 value with and without salt will be different. And even though you'd encrypt passwords one-way, you can compare MD5 values and if the password is obvious or is a dictionary word (as an example), two values compared means you can easily figure out the plain-text value of an encrypted password.

There are many websites that exist which has a large database of the decrypted value of encrypted MD5 values. And so if your site's database is compromised, if you don't add a salt to the passwords in your database, many of your user's encrypted passwords will likely be already listed in a database where the MD5 value can be compared because the password has been submitted to such a database before.

Exactly. They are called Rainbow tables [ame="http://en.wikipedia.org/wiki/Rainbow_table"]Rainbow table - Wikipedia, the free encyclopedia[/ame]

Alot of the recent attacks where hackers like Anonymous released password they didnt actually get the password rather they got hached values. With the use of rainbow tables they can then work out those easy to guess values. They can then use the username and password on other sites to compromise accounts. Anonymous actually encouraged people to try getting into paypal accounts using the details and encouraged them to use the accounts. Hence why it is important to use different passwords on sites.

 

[cipcip]

Well you can do:

$input = "something";
$output = hash("sha512", $input);

This way you are not using the + concatenation and it is safer, 512 bits encryption.

This is the best value that I could find... If i use salt, it will be more secure though.

 

[Chicken]

http://www.openwall.com/phpass/

Just use PHPass, it's simpler to use something proven and developed by people far more knowledgeable on that specific subject.

 

[OpticPhreak]

Agreed, hash() is the way to go.

$password = hash("sha512", $password);

 

[OpticPhreak]

[ Removed my post, can't post links and can't delete this ]