Secure MD5 hashing in PHP

[Miquel]

I think that I'm here in the right forum to post now. I have recently read on the Internet that an MD5 hash of a password is probably not so sure. Now I'm looking for a solution to a more secure password. I was thinking of something like this:

PHP Code:

$server = $_SERVER [ 'NAME_OF_SERVER' ]; 
$password = 'password' ; 

// Generate md5 hash from servername 
$s_hash = md5 ( $server ); 

$password = sstr ( $s_hash , 0 , 15 ).md5 ( $password ).sstr ( $s_hash , 16 ); 

echo sha1 ( $password ); 


Is this safe enough or does it secure. What do you think? Please suggest me if you have something else in your mind.

[Adley]

According to me, the only problem with md5 hash is that it is already very large rainbow tables. These are tables where you can look up the hash for a particular (or a) password. However, it helps to "salt" the whole, as you already Maach in principle: just search for md5 + salt. I am sure that you will get some help from it. Also I would like to suggest each application to another Salt:

PHP Code:

<?php 
class User extends UserGen { 
const HASH_SALT = "2%&$/9862fgncqit#+-ßp#-." ; 
public static function HashPassword ( $password ) { 
return md5 ( serialize (array( HASH_SALT , $password ))); 
} 
?>

[pancham]

Yes, there are ways md5 hashes calculated backward. This means mostly just that one "finds" a string that yields the same hash. To do that it needs more or less complex algorithms and processing power above all. Here you needed a bit more criminal as a script kiddie. Conclusion: md5 () goes by without another if the application is secure in itself and has no more barn doors. If you feel insecure, because several people have on DB and / or the access password hash, you can sha1 () or better use the following:

PHP Code:

<?php 
$Password = 'mypass' ; 
$PasswordSalt = '$2a$my$alt' ; 
crypt ( $Password , $PasswortSalt ); 
?>

Do you use to have a dynamic salt, which can change over time, you're absolutely sure.

[PARRISH]

Also for SHA1, there are already some rainbow tables but not as extensive in principle applicable to all that works without salt. The method you use is virtually self-zb been exaggerated to me because it is sufficient in principle have the md5 password to provide salt with any order not to land a hit in a rainbow table. So server name, or a solid salt are sufficient to protect rainbow tables.

PHP Code:

<? 
$password = "sex" ; 
$passwordMD5 = md5 ( $password . "thisisaboutme" ); 
?>

So it makes no longer possible simply by a rainbow table to retrieve the password "sex" to close.

sex = 3c3662bcb661d6de679c636744c66b62

the whole secret with:

6434b468e5592d7d70b2691db2925b61

If you are using now an extravagant Salt with special characters, such as
"Th! S_! 5mY5 ³ <R3T !.#*" it is almost impossible. There are several approaches to try all the time with old salts but in my opinion after cooperating completely unnecessary. A good alternative as I use the hash between username and password. The prerequisite for this is the user name is a unique identifier.

PHP Code:

<? 
$hashed = md5 ( $username . $salt . $password ); 
?>

[RichiRich]

Generally, it is advantageous to incorporate in the Salt something that is different for each user, because even when you know what it is, it is created when a rainbow table itself, the same can be sent to a user who never for all. Useful can be things such as user name, email address, registration date, the usual requirements for it are matters which the user normally does not change and if so, must stop the stuff to be rebuilt. This will ultimately won by talking the problem if the MD5 hash is known to the password, the system is broken and so everything, including Salt available to the hacker (unless it uses an external DB connection). Hash values are used ONLY to protect against administrators (!), Ie the inspection of the clear text password (the "normal" view of the database values).