(2010-08-13, 05:10 PM)TheLifelessOne Wrote: [ -> ] (2010-08-13, 04:20 PM)Pirata Nervo Wrote: [ -> ] (2010-08-13, 04:14 PM)TheLifelessOne Wrote: [ -> ]That seems kinda unsafe.
Wouldn't SHA-1 be more secure?
No, they're basically the same since they're both optimized to be fast and both have been cracked already.
That's why you use a salt and md5 everything at the end
SHA-1 is actually slower (on most systems), and it usually more secure.
(2010-08-13, 05:00 PM)DougSD Wrote: [ -> ]I think encrypting two encrypted strings would be pretty safe...
You should just implement a one-time pad.
Just because it's more secure it doesn't mean it can't be cracked. Someone who wants to crack an md5 hash can also crack a sh1 hash. Plus it's not that much secure compared to md5
Actually, a proper one-time pad cannot be cracked.
It's impossible if it's done right.
(2010-08-13, 05:28 PM)TheLifelessOne Wrote: [ -> ]Actually, a proper one-time pad cannot be cracked.
It's impossible if it's done right.
I was talking about sha1 not one-time pad
It's not about the encryption method, it's about how strong the password is.
pass123 could be easily cracked.
a&i:4K756h_+Vb4 couldn't be easily cracked.
(2010-08-13, 04:14 PM)TheLifelessOne Wrote: [ -> ]That seems kinda unsafe.
Wouldn't SHA-1 be more secure?
Edit: Also, http://chargen.matasano.com/chargen/2007...out-s.html
No, it's totally safe. If it was just a simple md5($password) by itself, THAT would be unsafe since reverse-md5 rainbow tables are common these days and easy to generate.
However we couple it with much better entropy (a statistically secure random salt) which makes it essentially impossible to reverse-md5 using rainbow tables. Even if you had the database itself, you would have to brute force every single password in the table because it uses a unique salt for each one. There is no performance speedup you could do.
Even then, if you didn't have a copy of the db, you would need to brute force it from the web interface. This is very very slow because of latency and a firewall or someone would notice the brute force attack and stop it. It would takes hundreds or thousands of years to brute force.
For passwords, you have to use Salt no matter how secure the hashing function is.
Security of hashing functions is not about passwords.