42
hiken
8y

Password hashing using md5, it is 2016!! I have seen a sys admin update a user password using a MySQL query

Comments
  • 0
    @vinerz well at least, but false sense of security
  • 0
    What's wrong on md5?
  • 0
    @grauschnabel md5 is considered cryptographically insecure, see this http://stackoverflow.com/questions/...
  • 1
    If I remember correctly wordpress is still using md5 😄
  • 0
    If it's not fatally broke, don't fix it.
  • 1
    @juzles I think this was in older versions
  • 0
    @Justananon I see you like to live dangerously
  • 0
    @le717 true that can happen, good that you patched it up, we are always learning how to do things better
  • 1
    I have a perfect solution for password security: I assign users with random md5 hashes as passwords. Than I save those in DB as plain text. If an user wants a new password, I just give them a new hash. If someone hacks the DB they'll see a lot of hashes that they'll try to decypher. And I'll be LOLing with an evil genious laughter... /s
  • 1
    So, MD5 is insecure, which are secure then? They're all hashing, so how do I know which are good to go and which not?? I admit to using MD5 under the guise that it was at least a little bit secure xD
  • 2
    @grauschnabel AFAIK The problem with MD5 is that it's extremely fast to compute. Many orders of magnitude faster than bcrypt, which makes it more vulnerable to attack via modern GPUs. I am not sure about hash collisions, and what's the rate of that vs other hash algorithms.
  • 1
    @WerewolfCustoms if someone hacks your db that is already a problem
  • 1
    @juzles It's not. You may use md5 to forcefully set a password, but when the user logs in (or at some other point) Wordpress will use a better algo to re-create the hash
  • 0
    @nickhh As linked above, the collision resistance on md5 sucks.
  • 0
    @Saborknight bcrypt is well recommend for password hashing, if you are using a language like PHP (> 5.5) it has built in functions to help with this
  • 2
    @hiken awesome thanks. Consider me to have seen the light and return from my wanderings between the dark side and ways of the Jedi. Thank you for that :)
  • 1
    I've seen mysql() calls in php and cleartext passwords in 2016 so I'd say you're ok x)
  • 0
    @jonnyserra I was ranting about use of mysql_* functions recently
  • 1
    Also password hashing algorithms should be purposely slow to make brute forcing of passwords harder, should anyone ever manage to get a dump of your database.
  • 0
    @deusprogrammer true but together with other controls on the application side to prevent an inadvertent ddos attack
  • 1
    @hiken Naturally my friend :)
  • 2
    @Saborknight if you use php there is a built in api for password hashing and checks that cover more security concerns.

    Check: http://php.net/manual/en/...
  • 1
    MD5 is not "broken", it just in SOME instances and if not used correctly can be problematic as it can cause collision where two different sources of data will result in same MD5 hash.

    If you want to do collision attack you will need to know the salt and that resulting hash (in which case you have the access to the database) and hope that you can send arbitrary password length and/or character combination in order to generate the colliding hash which is easier said than done for most sites.

    It is still perfectly safe IMO to use it with passwords in legacy systems, as long as you do it correctly. For new systems...SHA should be used since it provides even more secure solution 😊
Add Comment