Making passwords more secure?

Question

Hey Guys im thinking about something what i can do to improve the current password safeness. Most of you know rainbow tables which can decrypt "hacked" md5 hashes in seconds.

My thought was, how can i make this more secure. What if the "hacker" who hacked got some md5 hashes has not the full md5 hash?

For example, the password i choose "rabbit" md5 hash equals (a51e47f646375ab6bf5dd2c42d3e6181) Nearly every rainbow table in the internet can decrypt these md5 hash into the clear word "rabbit".

But what if i parse only the first 10 signs into the database. And if the user sign in with its password it will be checked if the first 10 signs equals the 10 signs in the database. So, if the hacker got some hashes he could not revert any of them because none of these makes any sense..

Is this possible and really more secure?

This is only an idea which had and i would really appreciate it for your comments.

Thanks!!!

Answer 1

While this does make driveby rainbow table-based attacks less viable, it doesn't really add security. Once the attacker figures out you're using 'trunctated' MD5 hashes, your approach actually makes things easier for him or her - after all, s/he doesn't have to find the one single phrase with the correct hash, just one that shares the first 10 characters or so.

This is almost a textbook example of security through obscurity, I'm sorry to say. It's good that you're thinking about ways to store passwords more securely - and that you're aware that using plain MD5 hashes is not a good idea - but this is the wrong approach.

Answer 2

A more secure way to store passwords is to use a different hashing algorithm for each user - or to use different parameters for a hashing function per user and store that. This way someone would have to generate rainbow tables for a ton of different possibilities.

Check out Salting for more information.

Answer 3

I would recommend to follow Secure hash and salt for PHP passwords