In storing passwords in php mysql, can i assume the passwords to be safe if i were to run md5 algorithm again and again and with combination of text replacement and rotation?
Asked
Active
Viewed 62 times
-2
-
9Full answer: Nope. – IncredibleHat Dec 07 '17 at 19:23
-
1Define "safe". Safe from your meddlesome 8 year old sister? Safe from professional rivals? Safe from major organized crime and terror groups? – Robert Columbia Dec 07 '17 at 19:23
-
5[Warning It is not recommended to use this function to secure passwords, due to the fast nature of this hashing algorithm. See the Password Hashing FAQ for details and best practices.](http://php.net/manual/en/function.md5.php) – tkausl Dec 07 '17 at 19:24
-
4md5 is NOT encryption! – Patrick Q Dec 07 '17 at 19:25
-
Curious why you are asking. Is this just because you are interested in the problem in general? Are you aware of `password_hash` and `password_verify`? – Ray Toal Dec 07 '17 at 19:28
1 Answers
2
No, MD5 is not secure to use to create a password verifier.
With PHP use password_hash and password_verify, the pair are secure and easy to use.
When saving a password verifier just using a hash function is not sufficient and just adding a salt does little to improve the security. Instead use a function such as PBKDF2, Rfc2898DeriveBytes, Argon2, password_hash, Bcrypt or similar functions with about a 100ms duration. Make the attacker spend substantial of time finding passwords by brute force.
zaph
- 111,848
- 21
- 189
- 228