All geek questions in one place

How secure are MD5 and SHA1

Hey, just simple questions as I try to understand a little more about the Hash features, I know how they work and what they do, but how safe are they?

I would appreciate a simple answer, not links, as I never find them useful.

+6
source share
3 answers

With today's technology, both can be cracked . There are also hash dictionaries that help you find the hash for short strings.

If they are safe or not, it depends a lot on what you want to protect. If you are building an online banking system, they are not recommended at all (depending on which online banking system they are used in). For example, if you only implement them for hashing user passwords online, it also depends on whether you should hack the site, how many users you have, etc.

The general advice is to first examine the level of security that you want to achieve in your scenario and decide which technologies (in this case, hashing) you are using. Also there is no 100% security. Also, do not invest too much time in one security problem and ignore others that may not be so obvious or technical (human errors, safety from the unknown, human engineering).

Check this:

  • create a hash for the little word here . For example, password has an MD5 hash: 5f4dcc3b5aa765d61d8327deb882cf99
  • now go here and request text.

The above example is just one of many (dictionary attacks) possible ways to break them. In addition, the wikipedia articles of each security algorithm provide you with a list of vulnerabilities.

SEE ALSO:

FEEDBACK

They never allow websites to generate a hash for the real password that you have (in case you need it somewhere for testing or for other reasons). Always use test passwords or generate hashes on the local computer. People create hash databases (whether hackers or not) and also provide online hash tools to capture hashes.

+22
source

Here is a comparison between MD5 and SHA1. You can get a clear idea of ​​which one is better.

enter image description here

0
source

When discussing hash security and brute force, shouldn't we take a little more?

First of all, md5 obfuscates data stored in a trusted zone or not. In other words, can we trust our db administrator to not try to read user passwords from the database, and brute force cancels them. This can be trusted or technically provided using some security procedures (the db administrator may not have access to the table in which the password hashes are stored, this may be available only to the security officer).

Another possibility is to intercept the password hash of login + password from a client or client-server transaction. If the client does not have a Trojan horse, and the connection between the client and the server is TLS-protected, the pair should be protected from man-in-the-middle attacks.

What remains for the attacker (except social engineering, xss security hacking and hosting) to subsequently send the number of generated requests to the login server and see if it succeeds. This can also be controlled:

  • after a successful and unsuccessful login, there may be a random delay time before the service responds to a slowdown in brute force.
  • the login process can suspend parallel login requests from the same IP address and parallel logins with the same login name (to enforce the above rule).
  • the limit for unsuccessful logins can be set, after it is exceeded, the account is locked and a security warning is triggered.

I believe that when the above rules are implemented, the md5 hash is quite safe. In fact, it is equally safe as a simple password :) To summarize, if we are sure that our md5 hash is safe, we can simply leave the passwords open. Currently, twist is not used by md5 at all (due to password confusion). What needs to be done is to leave it in a repository in a trusted zone or use a stronger tool (for example, SHA) if the trusted zone is not managed. And, in my opinion, the trusted zone is still at risk of server security (hosting services), so regardless of whether passwords are simply confused with SHA (or better) :) This should not be costly to simplify password hashing and it brings some benefits (reduces risks), so my advice will never again repeat this discussion.

However, even when using SHA hashing, all voice security rules must be implemented. Especially TLS, which prevents the compromise of login passwords and password (regardless of whether the password is sent in normal mode or hashed using md5 or sha, it can activate a successful login). It is also necessary to monitor login attempts. Even if we think our site is rude evidence, it’s good to know that someone is trying to compromise security.

0
source

Source: https://habr.com/ru/post/945679/

More articles:


All Articles