2

There have been talks that md5(md5) is better than md5 alone, but some say it doesn't do anything, can someone help on how to make this more secured? I'm so confused with the mixed feedback.

$query="INSERT INTO `users` (`email`, `password`)
    VALUES('".mysqli_real_escape_string($link, $_POST['email'])."',
           '".md5(md5($_POST['email']).$_POST['password'])."'
          )";
M Reza Saberi
  • 7,134
  • 9
  • 47
  • 76
Anthony
  • 69
  • 1
  • 5
  • 5
    You should never use md5 to store passwords. Use bcrypt instead. – Afsa Sep 24 '14 at 11:50
  • 1
    Entropy of a single md5() hash is 256 potential bit combinations per byte of data; entropy when you md5() a second time is limited to the charset of the first hash, ie 26 alphanumeric + 10 digits per byte, so hashing more than once increases the chance of collisions by reducing entropy – Mark Baker Sep 24 '14 at 11:50
  • 1
    Some people say that the md5(md5 is worthless in this code...is that true? If it is, is there a way to make this code line more secure? – Anthony Sep 24 '14 at 11:51
  • 2
    If you are using `PHP >= 5.5` foster the use of [password_hash](http://php.net/manual/en/function.password-hash.php). – Debflav Sep 24 '14 at 11:51
  • to make more secure you should also add a secret key word (a string) with md5(md5($_POST['email']).$_POST['password']).'some string') – Ahsan aslam Sep 24 '14 at 11:51
  • The way to make your code line more secure is to forget about md5 and use PHP's password_hash() function – Mark Baker Sep 24 '14 at 11:51
  • 1
    Look at this PHP FAQ manual page http://php.net/manual/en/faq.passwords.php. It's better to use hasing function with salt. – marian0 Sep 24 '14 at 11:52
  • Could someone write out how that would look like please? – Anthony Sep 24 '14 at 11:52
  • MD5 is broken! Using it twice is sticking plaster on a gaping wound. – chiastic-security Sep 24 '14 at 11:52
  • It's all written out for you in the [PHP Docs](http://php.net/manual/en/book.password.php) in the section on each page entitled "Examples" – Mark Baker Sep 24 '14 at 11:53
  • the preferred use of this is for checksums, use password hashing of php or use the compatibility pack instead – Kevin Sep 24 '14 at 11:53
  • http://www.phptherightway.com/#password_hashing – Mark Baker Sep 24 '14 at 11:59
  • By the way, you're asking for something more secure. So think to use `prepared statements`. – Debflav Sep 24 '14 at 12:11

3 Answers3

3

Don't use md5 hashing for storing passwords. Instead use the password_hash function in conjunction with bcrypt. See: http://php.net/manual/de/function.password-hash.php

password_hash($password, PASSWORD_BCRYPT, array('cost' => 13));

For older php versions have a look at https://github.com/ircmaxell/password_compat

Papiertiger
  • 31
  • 4
  • +1. As I already said, if you are using `PHP >= 5.5` I highly recommend the use of the `password_hash` too. `Md5` is ineffective since a long time. – Debflav Sep 24 '14 at 11:59
1

MD5 will produce 32-character hashes double-hashing something will still have 32-character hash, so just dont double-md5 anything! If you want longer hashes (lets call more secure), you should use something like sha512 , whirlpool, etc. See hash() function in the php documentation for examples.

so instead of md5(md5($variable)) you should use hash('sha512',$variable)

Also note, longer hashes means longer processing time (= more CPU!)

Gipsz Jakab
  • 433
  • 3
  • 9
0

MD5 is insecure for text longer den 512 bit or 64 byte, because you find a mathematic group in ist. what you make is a hash of hash. The hash is shorter then 64Byte. So you have a workaround. If it is secure ... i will not give me hand for this. You find more under Wiki Ok the best way is not to use MD5.

Denis Kohl
  • 739
  • 8
  • 13
  • Mark Baker in the Wiki link you find a link to an document over the brake MD5 there you find the function of the MD5 there you find the string length of the MD5 coding blocks. And also the length 512Bit. IF have see it in live demo a CCC 2009 – Denis Kohl Sep 24 '14 at 12:06
  • I can't find that link at all; yes the coding block size for MD5 is 512-bit, but I can't find anything in any of the linked pages that says what you're suggesting. Collision problems can arise if the two values being hashed are given a common prefix value of 128-byte block of data, aligned on a 64-byte boundary. – Mark Baker Sep 24 '14 at 12:16
  • Yes you are right you need a min length of 4 Coding blocks. Coding block length = 512 bit -> 64 byte So you are "secure" if you use only one block.OK? – Denis Kohl Sep 24 '14 at 12:19
  • Though the algorithm will pad to 512bits if the input is shorter – Mark Baker Sep 24 '14 at 12:21
  • No ist will split strings there are shorter then 64 byte. But don't ask me how. – Denis Kohl Sep 24 '14 at 12:25