-2

Can anyone tell me whats wrong with this?

function hashmyshit($pass){

        for ( $i = 0; $i < 1000; $i++ ){
            MD5($pass);
        }
        return $pass;
}

and how to iterate a password hashing process many times.

user3723666
  • 231
  • 1
  • 4
  • 12
  • 1
    Why are you iterating password ? and you are returning $pass instead of encrypted password. – TBI Jul 18 '14 at 09:03
  • You should not use `md5()` to encrypt passwords. It is far from safe now. You might want to read this : http://stackoverflow.com/questions/401656/secure-hash-and-salt-for-php-passwords – Clément Malet Jul 18 '14 at 09:04
  • 1
    Recommended security method for passwords is to use PHP's built-in [password_hash()](http://php.net/manual/en/function.password-hash.php) function, or the [userland equivalent](https://github.com/ircmaxell/password_compat) for earlier versions of PHP – Mark Baker Jul 18 '14 at 09:05
  • RTFM, come on... `md5` _returns_ a string. Hasing the same thing multiple times does not deter from the fact that md5 is no longer secure – Elias Van Ootegem Jul 18 '14 at 09:08
  • Also see Openwall's [PHP password hashing framework](http://www.openwall.com/phpass/) (PHPass). Its portable and hardened against a number of common attacks on user passwords. The guy who wrote the framework (SolarDesigner) is the same guy who wrote [John The Ripper](http://www.openwall.com/john/) and sits as a judge in the [Password Hashing Competition](http://password-hashing.net/). So he knows a thing or two about attacks on passwords. – jww Oct 12 '14 at 00:36

3 Answers3

5

You should use :

$pass = md5($pass);

instead of

MD5($pass);

But in fact, what do you want to achieve? Why do you want do md5 many times on strings that md5 was already done? What's the purpose? If you simply want to safely encrypt password you should choose user better encryption method using password_hash() function.

Using the same encrypt function many times may even cause that it's easier attacker to get into your system, so you shouldn't do such things.

Marcin Nabiałek
  • 109,655
  • 42
  • 258
  • 291
  • Thank you, I don't know why I didn't think to do this. – user3723666 Jul 18 '14 at 09:04
  • I have read it is better to encrypt many times, rather than only once. Have I been reading false information? – user3723666 Jul 18 '14 at 09:05
  • @user3723666 It won't be safer. It can be even less safe if you run multiple times the same function. `md5` itself isn't the best choice. You should use `hash` function as I mentioned in my answer but only once (without any loops) – Marcin Nabiałek Jul 18 '14 at 09:06
  • @MarcinNabiałek Any resource about 'It can be even less safe if you run multiple times the same function.' please ? I'm interested – Clément Malet Jul 18 '14 at 09:08
  • 2
    @user3723666 - very much a simplification, repeated MD5 hashing actually reduces entropy.... repeated hashing provides a slowdown for brute force cracking, but not much of one here – Mark Baker Jul 18 '14 at 09:08
  • Thank you for the information, you have been very helpful to me, I'm still a beginner in PHP and am constructing a website with a login and a few other PHP functions for practice. – user3723666 Jul 18 '14 at 09:10
  • 1
    @user3723666 - Iterating with a hash algorithm is called key-stretching and is indeed a good thing to do. The idea behind is, that you can control the necessary time an attacker needs to calculate a single hash-value. Iterating doesn't mean a dumb for-loop though, and MD5 is not appropriate to hash passwords, nor is the mentioned hash() function. With PHP you should use the function [password_hash()](http://www.php.net/manual/en/function.password-hash.php). There exists a [compatibility pack](https://github.com/ircmaxell/password_compat/blob/master/lib/password.php) too. – martinstoeckli Jul 18 '14 at 11:16
  • @martinstoeckli I've corrected my answer then. But I don't know what's the difference between those 2 functions `hash` and `password_hash`. I don't see any details in manual – Marcin Nabiałek Jul 18 '14 at 11:26
  • 1
    @MarcinNabiałek - The function `password_hash()` implements the BCrypt algorithm, which has a cost factor to control the number of iterations. The `hash()` function can be used to calculate simple algorithms like MD5 / SHA* which are ways too fast for hashing passwords. You could for example try [8 Giga MD5 passwords per second](http://hashcat.net/oclhashcat/#performance) with common hardware. – martinstoeckli Jul 18 '14 at 11:31
  • @martinstoeckli Thank you for explaintation – Marcin Nabiałek Jul 18 '14 at 11:35
  • @MarcinNabiałek - You are welcome! In case you want to know more about the topic, you may have a look at my tutorial about [secure password storing](http://www.martinstoeckli.ch/hash/en/index.php). – martinstoeckli Jul 18 '14 at 11:39
2

Accordingly if you want to hash the password a 1000 times then you can do like this:

function hashmyshit($pass){
    $password = $pass;
    for ( $i = 0; $i < 1000; $i++ ){
        $password = md5($password);
    }
    return $password;
}

Previously you were trying to hash the same $pass a 1000 times. But as @Marcin Nabiałek said this is not the appropriate method to secure the passwords, you should use in-built encryption.

Jatin Bansal
  • 875
  • 12
  • 24
0

I would strongly refrain from using MD5, due to the many cryptographic weaknesses found in the algorithm and for other obvious reasons which Philipp is kind enough to elaborate on in the following post ;

https://security.stackexchange.com/questions/52461/how-weak-is-md5-as-a-password-hashing-function

Try BCrypt Instead

Andrew Moore explains in this post how to use bcrypt for hashing passwords in PHP?

How do you use bcrypt for hashing passwords in PHP?

Community
  • 1
  • 1
Matthew Watts
  • 1
  • 1