1

I understand that passwords should be encrypted in databases to protect them from hackers and people with bad intentions. But MD5 was renewed in 2005. Since then, hackers found the inverse hash function and a lot of website can easily crack the MD5 hashed key, for example md5this.com which was one of the first suggested on google.

Shouldn't each web developper create their own hash functions so that the hackers can't retrieve the password if they get access to the database ?

b13bs
  • 23
  • 1
  • 3
  • 3
    That's why you add a salt to your hashes. Also there's no "reverse hash" function (or is there?). That's probably just using rainbow tables. – gen_Eric Jul 06 '12 at 20:07
  • No, there isn't. A hash can't be reversed. – Femaref Jul 06 '12 at 20:08
  • 1
    I suggest reading [Our password hashing has no clothes](http://www.troyhunt.com/2012/06/our-password-hashing-has-no-clothes.html) by Troy Hunt. – Oded Jul 06 '12 at 20:10
  • 2
    Yay. I broke md5this.com. `Could not resolve the value of a61c0860cf45ca17fe1cd241f28715a3 md5 hash.`. :-P That's the md5 hash of `"I Like Pie"`. – gen_Eric Jul 06 '12 at 20:10

2 Answers2

2

You shouldn't use MD5 hash for that reason anymore.

It provides some security just not enough to matter.

Each web developer should, but they don't have the time usually so sha1 usually does the trick...

Sha1 is susceptible to a brute force attack, but it would be very time consuming for most developers to come up with their own encryption pattern that isn't susceptible to brute force attacks.

Is SHA-1 secure for password storage?

Community
  • 1
  • 1
Max Hudson
  • 9,961
  • 14
  • 57
  • 107
0

If you feel like you have the algorithmic chops to create a workable hash function please do so. The best advice I've seen to to switch from MD5 to the latest SHA implementation, use a salt, and think about running several loops of encryption to force extra work on any crackers.

Robert
  • 2,441
  • 21
  • 12