0

Possible Duplicate:
Secure hash and salt for PHP passwords

Alright so im thinking of double hashing passwords with md5 (example hashing the password and then hashing the hash of the password). I want to know if anyone ever experienced any problems with this method and if you think its a good way to salt something. Thanks

Community
  • 1
  • 1
Cody
  • 870
  • 4
  • 21
  • 38
  • 4
    MD5 is a hashing function, not an encryption function. You can decrypt an encrypted message, but you cannot "unhash" a hash. – Piskvor left the building Sep 05 '11 at 18:23
  • 1
    what do you want to use your hash for? How to correctly use a hash function depends heavily on what it's for. But hashing twice is *never* a replacement for a salt. In particular for password hashing one should *not* use a plain hash function, be it md5 or something newer. – CodesInChaos Sep 05 '11 at 18:29
  • md5 is not a form of encryption it is a message digest function. – rook Sep 05 '11 at 19:22
  • Sorry everyone I accidentally said encryption, I ment hashing. Please stop posting that MD5 is not used for encryption, Thank you :) – Cody Sep 05 '11 at 19:33

4 Answers4

3

I disrecommend hashing twice.

You might lose some password hashes, making your code even more insecure. It won't help with security.

The best way is to add salt to password and hash once!

The purpose of the salt is to make it more difficult to brute-force short passwords with pre-computed tables. You can make the salt user dependent.

Pascal Cuoq
  • 79,187
  • 7
  • 161
  • 281
Rok Kralj
  • 46,826
  • 10
  • 71
  • 80
  • I wouldn't recommend hashing once for password hashing. If you use PBKDF2 it hashes many times(with a better iteration scheme though). – CodesInChaos Sep 05 '11 at 19:09
  • Maybe, but with md5, you just lose entrophy. I believe if you md5 any string infinite times, you always get same hash. – Rok Kralj Sep 05 '11 at 19:11
  • 1
    I think the loss of entropy will be low compared to the security gain from slowing down the hash calculations. The loss of entropy is no practical problem for typical iteration-counts. But of course a good iteration scheme will mix in the original password on each step to prevent this loss. – CodesInChaos Sep 05 '11 at 19:14
  • "I believe if you md5 any string infinite times, you always get same hash." Doubtful. This would imply that there is a single cycle in the md5 hash space. I expect there to be a large number of cycles(but still much fewer than 2^128). – CodesInChaos Sep 05 '11 at 19:15
  • You're absolutely right about first comment, the second would require in-depth analysis which I'll do someday. I'm still young :) Thanks for your opinion. – Rok Kralj Sep 05 '11 at 19:19
  • 2
    My gut feeling is that there will be about 2^64 different cycles in a hash function since ending up in your current cycle behaves in a way similar to the birthday problem. But even if there were a single cycle that would not even imply that all hashes are the same, since most hashes would end up at different positions in that cycle. So the statement "I believe if you md5 any string infinite times, you always get same hash." implies that there is only a single cycle, and this cycle has length one. That sounds very unlikely to me. – CodesInChaos Sep 05 '11 at 19:29
2

MD5 is cracked. No matter how many times you rehash the hash, it adds absolutely no more security.

No it is not a good way to salt something.

Salting a password means adding extra data to the original password and then hashing the result.

You should generate a salt of at least 256 bits with a cryptographic random number generator, add that to your original password and then use a hash that has not been cracked, aka SHA-512.

NAE
  • 29
  • 1
  • 1
    "aka" is short for "also known as" and somehow implies that SHA-512 is the the quintessential hash function, the only choice. – Pascal Cuoq Sep 05 '11 at 18:31
2

MD5 is broken - so go far a SHA2 hashing. Hashing can be improved with salting and hashing in an iteration - which will secure you from dictionary and rainbow table attacks.

Prabath Siriwardena
  • 5,891
  • 1
  • 27
  • 34
  • For password hashing plain SHA2 is just as wrong as plain md5. And for most hashing scenarios where md5 is broken a salt isn't required. – CodesInChaos Sep 05 '11 at 18:31
  • 1
    SHA-2 is a set of hash functions (SHA-224, SHA-256, SHA-384, SHA-512) which is far away better than MD5 and AFAIK US government recommended using SHA-2 from 2011 - so its safe using SHA2 with the recommendation I added in my comment. – Prabath Siriwardena Sep 05 '11 at 18:34
  • Using plain SHA-2 is the right choice for many uses. But not for password hashing. For this you should use a something like PBKDF2, bcrypt or scrypt. The reason is that SHA-2 is designed to be fast, but password hashing should be slow in order to slow down brute-force attacks. – CodesInChaos Sep 05 '11 at 18:38
  • 1
    Yes.. true - but the addition of a strong salt makes the brute-force harder... – Prabath Siriwardena Sep 05 '11 at 18:40
  • The only (significant) effect a salt has on an brute-force attack is forcing the attacker to attack each hash separately. The strength of a salt doesn't matter much as long as it's unique. – CodesInChaos Sep 05 '11 at 18:44
1

First, MD5 is significantly broken - Do Not Use, consider something like SHA-256 instead.

Second, salting is something quite different - having a hash(hash(password)) will not give you any security increase. See this for a further discussion: Secure hash and salt for PHP passwords

Community
  • 1
  • 1
Piskvor left the building
  • 91,498
  • 46
  • 177
  • 222
  • 3
    MD5 is not broken in this way it would be useless for password hashing. It is useless for file hashing, as it is relatively easy to create evil file with same hash. – Rok Kralj Sep 05 '11 at 18:28
  • @Rok Kralj: Oh, sure it is **extremely** broken in this way, and has been for some time (which, indeed, makes it useless for password hashing). See e.g. [US-CERT](http://www.kb.cert.org/vuls/id/836068) if you don't believe me: "Overview: Weaknesses in the MD5 algorithm allow for collisions in output. As a result, attackers can generate cryptographic tokens or other data that illegitimately appear to be authentic." It's useless for anything, including file hashing *and* cryptography. – Piskvor left the building Sep 05 '11 at 18:31
  • 1
    md5 is broken for applications which require collision resistance. But password hashing is not one of them. Plain md5 is still bad for password hashing, but plain sha-2 is almost as bad because both are *fast*. Please cite a reference that the (practical) weaknesses of md5 apply to password hashing. From what I know there are no practical pre-image attacks against md5. – CodesInChaos Sep 05 '11 at 18:33
  • 1
    See, @Piskvor? @CodeInChaos nailed it! :) – Rok Kralj Sep 05 '11 at 19:01