All geek questions in one place

Does encrypting a password several times really make it more secure?

Possible duplicate:
Is "double hashing" a password less secure than just hashing it?

So, I read the article on PHP website security, and they recommended hashing the password several times, in fact this is a direct quote from the article:

md4(md4(md5(sha1(md4(md5(sha1(sha1($_POST['password']))))))));

Now, personally, I usually use SHA-256 hashlists on my passwords, because I thought that MD4 and MD5 were no longer protected and that password hashing several times would simply put too much load on the server, benefit. It is right?

+4
source share
4 answers

A direct quote from the article will not work, since in PHP there is no md4() function. And then that would not make sense.

Usually, applying multiple hash functions does not hurt. But when you go from sha1 to md5 , you lose the input range (md5 gives you 128-bit output, but sha1 has a length of 160 bits). This is a rewrite of the reduced shutter speed, which means that the possible output set will never be greater than that of md5() .

+2
source

Little. If the goal is to obtain an initial password, this becomes an impossible task. However, this is usually not the case, and if you really use md4 for an external hash, well .. http://en.wikipedia.org/wiki/MD4#Security

There are many other ways to increase security, the most important of which is to use some kind of random salt that is not stored with the password.

+1
source

The best passwords to protect can be: 1) use hash_hmac with sha256 or higher 2) use random nonce for the user and store it in db 3) use a random iteration counter for each user and store it in dB.

You should also read: Protect the hash and salt for PHP passwords

+1
source

If you do not store your passwords tens of thousands of times, you do not know what you are doing.

It is computationally expensive; this is the point. For the legitimate purpose of authenticating a user who has the correct password, the load is negligible. But for an attacker who is trying to test a huge list of passwords in an offline attack, the cost is prohibitive.

Using thousands of iterations of a hash function is a well-established and widely used technique for "key reinforcement." It is included in key derivation standards and is used in algorithms such as bcrypt for password protection.

Use bcrypt or PBKDF2, for which you will need to use salt and iteration. Do not try to compose your own method using multiple broken hashes.

+1
source

Source: https://habr.com/ru/post/1387658/

More articles:


All Articles