Dictionary attack in PHP

[Danel]

I wanted to know if the md5 struts reversible (so its ok but the cryp leadcoder returns for its password in the text). I know that something has to do with dictionary attack, but not so sure about it. Also I am not having knowledge about dictionary attack in PHP except some basics. I simply intend to study a type of systematic attack traditional and timeless, which is to compromise the authentication systems protected by guessing the password of a user trial and error. It often refers to this technique as "dictionary attacks" because it requires the use of a database of words, phrases and dates currents to guess a simple password. Dictionary attacks are therefore particularly effective against passwords that are based on known words. I am not having more idea than this. I am requesting you to suggest me more about it.

[Timothi]

This is impossible, it is irreversible. It is irreversible, unless one has a dictionary. Unfortunately more and more sites are doing, that is why we advise against common names of such house, car, etc.. If you want to make a feature of type 'lost password', you will have to generate a new password and send it and then hash (md5). If you wish to verify the identity of your members, retrieves the password to enter, hash and verifies the correspondence username / password. In this case when the user enters the password md5-ise you the $ _POST ['password motd'].

PHP Code:

<? Php
     if (md5 ($ _POST ['pwd']) $ SQL ['pwd']) {
         // Ok
     }
 ?>

[Alejandro]

The md5 is discouraged and overcome, so why persist in wanting to use it? More hash a password with just the hash function is limited, there is nothing like a grain of salt, which prevents the dictionary attack.

PHP Code:

<? Php
 $ Password = 'grain_salt.' $ Password;
 $ Password = hash (sha256, $ password);
 ?>

Unfortunately more and more sites are doing, that is why we advise against common names of such house, car, etc..

"Timothi" speaks for the lost password feature, I think that the md5 bruteforce to refer to the person who has lost a good idea. Otherwise yes md5 is a bit beyond, you should use sha1.

[PARRISH]

We must stop the psychosis unless you a site with top secret data with the md5 is ample. Simply put any restriction when entering the password to require the user to have 12 character and minimum coupling of numbers and letters. and in case of loss of password as mentioned above a small script word temporary password which is transmitted to the user via his email, you may add a field force that account to 0 if you pass a new word password is done when the user reconnects the first time with new password are required to change it and at the same time you reactivate the account.

[Aienstaien]

If you are having trouble (which it should theoretically not be possible), then the problem comes from the design of your site security level, not md5. The protection system by chopping more than proven itself in matters of security and authentication, if you fear for the safety of your site, immerse yourself in your lines of code and stop spitting on these algorithms that you do not seem understand. And if you do not have the original fingerprint, you weary generates how your collision? Now, I avoid using MD5. The various functions SHA seems safer.

[Rixwel]

When it comes to generate MD5 collisions, it is usually in order to crack a protection, in this case, you are so foreign to the system, you're not admin, you do not have access to fingerprint cracker. To hear you, you'd think the admins want their own crack the hashes, so they have access to the footprint. In this case I appreciated that MD5 is a bit outdated, but it is not at all in this context that we address the problem. Here we talk about protecting the password clear (or hash as well do it) when you're strange system. And if and only if, when you get to access the same hash and create a collision, it will not be the fault of the MD5 algorithm, but to your security system that would have made the attack possible by allowing an attacker access to a hash (which should not be the case).