MyBB Community Forums

Hello MyBaBies,

I was just looking around for **the best** encryption method in PHP before inserting in a SQL database or in a file... and I just found out that:

$password = md5($password);

can be decrypted! Security rating: 2.5/5

$password = sha1($password);

can be decrypted, with a lot of work! Security rating: 3.5/5

The best encryption method/hash

$password = hash("sha512", $password);

Security rating: 4.9/5 (for now)

the hash of 0 using sha512 is:
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

the hash of 1 using sha512 is:
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a


WOW!

WARNING:
Never use the MySQL PASSWORD() function, as said in MySQL Docs:

Quote:The PASSWORD() function is used by the authentication system in MySQL Server; you should not use it in your own applications.

So if you are doing something like:

$sql = mysql_query("INSERT INTO users ('username', 'password') VALUES ('$username', PASSWORD('$password')")
 OR DIE mysql_error();

You should really change that for your safety!
Hope I helped

I use my own encryption class with my own algorithms. The sha* methods are public and are not that difficult to crack.

It's not about the length of the hash, it's about how well it's encrypted.

Only 3 people in the world know my class, and they're co developers. So if you want to create a secure encryption method, write your own.

(2011-09-24, 07:04 PM)Malcolm. Wrote: [ -> ]I use my own encryption class with my own algorithms. The sha* methods are public and are not that difficult to crack.

It's not about the length of the hash, it's about how well it's encrypted.

Only 3 people in the world know my class, and they're co developers. So if you want to create a secure encryption method, write your own.

Well said!

I agree, hashing with public algorithms is never safe, but you should just make sure that your hash function won't take a lot of time to answer when it's called... Because I myself tried to do something like a ""cocktail"" of different public hashes, something like:

function myHash($var)
{
return hash("sha512", md5(sha1(md5($var))));
}

with more than 5 algorithms mixed up! The problem was that such functions take time to generate the hashes which is never good! :p

Well, the fastest one is md5 but sha1 and sha512 are quite slow.

1. md5 (raw) 6474.971 microseconds
2. md4 (raw) 6906.986 microseconds
3. md5 (hex) 7320.88 microseconds
4. crc32b (hex) 7404.804 microseconds
5. md4 (hex) 7589.817 microseconds
6. crc32b (raw) 7635.116 microseconds
7. crc32 (raw) 11025.905 microseconds
8. crc32 (hex) 11151.075 microseconds
9. sha1 (raw) 17661.094 microseconds
10. sha1 (hex) 18871.068 microseconds
11. salsa10 (hex) 24237.155 microseconds
12. tiger160,3 (raw) 25419.95 microseconds
13. tiger128,3 (hex) 25580.883 microseconds
14. salsa10 (raw) 26392.936 microseconds
15. tiger192,3 (raw) 26761.054 microseconds
16. tiger128,3 (raw) 26807.069 microseconds
17. tiger160,3 (hex) 27302.98 microseconds
18. salsa20 (hex) 27415.037 microseconds
19. salsa20 (raw) 27851.104 microseconds
20. tiger192,3 (hex) 28005.123 microseconds
21. ripemd256 (raw) 29163.122 microseconds
22. ripemd128 (hex) 29576.063 microseconds
23. ripemd128 (raw) 29608.964 microseconds
24. adler32 (hex) 30095.1 microseconds
25. adler32 (raw) 30303.955 microseconds
26. ripemd256 (hex) 31167.984 microseconds
27. haval192,3 (hex) 35535.097 microseconds
28. haval256,3 (hex) 36798.954 microseconds
29. haval192,3 (raw) 37013.053 microseconds
30. haval224,3 (hex) 37785.053 microseconds
31. tiger128,4 (hex) 39018.154 microseconds
32. haval128,3 (hex) 39182.901 microseconds
33. haval256,3 (raw) 39313.077 microseconds
34. tiger192,4 (raw) 39352.178 microseconds
35. haval160,3 (raw) 39448.976 microseconds
36. haval224,3 (raw) 41184.902 microseconds
37. tiger128,4 (raw) 41529.178 microseconds
38. tiger160,4 (raw) 41959.047 microseconds
39. tiger192,4 (hex) 42212.009 microseconds
40. haval128,3 (raw) 43019.771 microseconds
41. sha256 (hex) 43123.96 microseconds
42. haval160,3 (hex) 43340.921 microseconds
43. sha256 (raw) 43519.973 microseconds
44. tiger160,4 (hex) 43947.935 microseconds
45. sha224 (hex) 46062.946 microseconds
46. ripemd160 (hex) 46593.904 microseconds
47. ripemd160 (raw) 46730.995 microseconds
48. ripemd320 (hex) 47153.949 microseconds
49. ripemd320 (raw) 48009.872 microseconds
50. sha224 (raw) 48356.056 microseconds
51. haval128,4 (raw) 50225.973 microseconds
52. haval192,4 (raw) 50331.83 microseconds
53. haval256,4 (raw) 50639.867 microseconds
54. haval256,4 (hex) 50661.087 microseconds
55. haval192,4 (hex) 50701.856 microseconds
56. haval224,4 (raw) 50704.956 microseconds
57. haval160,4 (raw) 52012.92 microseconds
58. haval128,4 (hex) 52280.902 microseconds
59. haval160,4 (hex) 52635.908 microseconds
60. haval224,4 (hex) 55005.073 microseconds
61. haval160,5 (raw) 61164.14 microseconds
62. haval256,5 (raw) 62484.025 microseconds
63. haval160,5 (hex) 63475.131 microseconds
64. haval192,5 (hex) 63808.917 microseconds
65. haval128,5 (raw) 63948.154 microseconds
66. haval192,5 (raw) 64649.105 microseconds
67. haval128,5 (hex) 65181.97 microseconds
68. haval224,5 (raw) 65392.971 microseconds
69. haval256,5 (hex) 68624.019 microseconds
70. haval224,5 (hex) 70489.883 microseconds
71. gost (raw) 92365.026 microseconds
72. gost (hex) 93250.989 microseconds
73. sha512 (raw) 117449.998 microseconds
74. sha384 (raw) 120893.001 microseconds
75. sha384 (hex) 121063.947 microseconds
76. sha512 (hex) 124665.021 microseconds
77. snefru256 (hex) 175709.009 microseconds
78. snefru256 (raw) 178900.957 microseconds
79. snefru (raw) 180594.205 microseconds
80. snefru (hex) 197014.808 microseconds
81. whirlpool (hex) 198023.08 microseconds
82. whirlpool (raw) 202282.19 microseconds
83. md2 (raw) 338346.958 microseconds
84. md2 (hex) 340049.028 microseconds 

MD2 is just sloooowww lol
Thanks for sharing that man

Slower is better when it comes to encryption. Also please read this guys: https://blog.mozilla.com/webappsec/2011/...ot-enough/

It depends on what you're looking for — performance or security.

No it doesn't. If you want performance then don't hash your passwords. Also: http://codahale.com/how-to-safely-store-a-password/

I'm not referring to maximum performance. It's better to have a mixture of them both, rather than having going overkill with just one.

For example, if Facebook were to store your password in plain text just to get maximum performance, then that's very insecure. It may be a multi-billion dollar project but that's not to say it's not exploitable.

I totally agree with Malcolm.

also, running SQL queries directly to databases without cleaning them from possible code injections / malicious code is waaaay faster... So you can go for maximum performance, at your own risk!