Reputation: 4430
What different between md5() .vs. hash when saving password?
Today, I have a discussed with my friend about security with a website.
I am usually using a hash with random salts when saving a password of the user.
Because hash can't decompile, my friend often using md5() to encrypt password of the user.
Problem is:
I tried to explain to him, md5() can decryption, but he took:
" I can using
md5(md5(md5('password')))ormd5() + random string".
So, I also mention about this will have much time to save into database, when the user login, again to decryption.
But it also not enough to convince. Have anyone can suggest me how to explain easily to understand?
Thanks.
Upvotes: 4
Views: 9002
Answers (2)
Reputation: 24071
MD5 is a hash function (one way) and cannot be decrypted, the problems with MD5 for password storing are different.
- MD5 is ways too fast for hashing passwords, one can calculate about 100 Giga MD5 per second with a good GPU. That makes brute-forcing too easy, testing a whole english dictionary is a matter of micro seconds.
- Combining MD5 like md5(md5(md5('password'))) does not add much of security, password cracker tools often offer this out of the box.
That is why we should use a hash function with a cost factor like BCrypt. The cost factor determines how much time is used to calculate a single hash, it should be as much as your server can bear. PHP offers the function password_hash() to generate safe password hashes.
Upvotes: 5
Reputation: 330
MD5 and SHA are hash functions (SHA is actually a family of hash functions) - they take a piece of data, compact it and create a suitably unique output that is very hard to emulate with a different piece of data. They don't encrypt anything - you can't take MD5 or SHA output and "unhash" it to get back to your starting point. The difference between the two lies in what algorithm they use to create the hash. Also note that MD5 is now broken as a way was discovered to easily generate collisions and should not be used nor trusted anymore.
RSA is an assymetric encryption algorithm. You have two keys (private and public) and you can perform a function with one key (encrypt or decrypt) and reverse with the other key. Which key you use depends on whether you are trying to do a digital signature or an encryption.
Upvotes: 0
Related Questions
- What is md5() for?
- Md5 hash encryption and decryption
- Using MD5 and Password hash function when storing in database
- Is it safe to use sha1(md5($password)) and does it make any difference?
- Password Encryption Method? : PASSWORD() versus md5?
- phpmyadmin - difference between md5() and password()
- PHP MD5 Password Encryption and DB Entry
- Securing Passwords with a Hash
- What is better hashed or encrypted passwords?
- Difference between php md5() command and Linux md5pass command