I mean, they say md5 hashes are one-way. Once something is encrypted, it can't be decrypted. I read other questions and people say it is now easy to just match and decrypt using something they call 'rainbow tables'... okay, they can be decrypted, but, if yes, then is there any other way to make the website secure? If all md5s are decryptable, how does FAcebook and Twitter keep their data secure?
Asked
Active
Viewed 422 times
-3
-
1See this question: http://stackoverflow.com/questions/1012724/what-exactly-is-a-rainbow-attack – Mike Firesheets Jul 16 '14 at 19:42
-
google: "salt md5" , and remember to use such table first you need to get access to db which is difficult in the first place.. – Koray Tugay Jul 16 '14 at 19:42
-
2You might also want to read up on the differences between hashing and encryption. – Brandon Jul 16 '14 at 21:48
-
Is there a programming question in there somewhere? – David Gorsline Jul 17 '14 at 02:34
2 Answers
1
When people say "md5 hashes are one-way", they really mean that when you have outputs which are chosen from a sufficiently large input space, then there are no known methods to reverse them efficiently. But what happens if your input space is small?
Passwords tend to be small because they need to be human memorable, so they come from a small input space. This means one can simply try to guess common passwords (such as abc123, password1, qwerty, and so on) to see if the MD5s produce the same output value as what is stored in the database. It does not mean that they can get all passwords, but they certainly can get a large number of them. This is called a dictionary attack.
There is a long history on this topic, going back to the Unix "crypt" days. The idea of "salts" were added to make passwords harder to guess against dictionary attacks, and the "encrypting" function was made to be slow to further slow down dictionary attacks. That worked for the time being, but as technology got faster, better solutions were needed.
Additionally, rainbow tables played a role in obsoleting the older defenses. Rainbow tables are huge lookup tables that allow hackers to find passwords faster. They are a time-memory trade-off. Actually rainbow tables are just a generalization of an earlier trick due to Martin Hellman (one of the all time greats in cryptography).
To cut a long story short, you just want to know what the good companies do today, and to that I refer you to these 2 references:
Actually, Thomas Pornin has a lot of information about this all stackoverflow, so I recommend you Google it because he really knows the subject well and writes better than anyone else on the topic.
Community
- 1
- 1
TheGreatContini
- 6,429
- 2
- 27
- 37
0
- Passwords should be stored hashed and include a salt. The hash algorithm should be SHA256 or better; consider slow hashes like scrypt or PBKDF2.
- Ensure your server infrastructure is secure and actively perform audits using available tools.
- Database solutions such as MySQL often include encryption methods, which are based on secure keys for authentication and decryption.
Michael Petrotta
- 59,888
- 27
- 145
- 179
ab92014
- 13
- 4
-
2I'm sure you meant "SHA256 or better, and consider slow hashes like scrypt or PBKDF2". SHA1 is old and considered insecure. – Michael Petrotta Jul 16 '14 at 19:45