0

I'm building a password protected login system for a site, and I have run into two MySQL functions to encrypt the user's password: MD5() and ENCODE().

They both seem to encrypt it, but I want to use whichever one is more secure. Is there a clear winner here, or is it just a preference situation? Thanks!

Andrew Odri
  • 8,868
  • 5
  • 46
  • 55
srchulo
  • 5,143
  • 4
  • 43
  • 72
  • possible duplicate of [SHA512 vs. Blowfish and Bcrypt](http://stackoverflow.com/questions/1561174/sha512-vs-blowfish-and-bcrypt) –  Dec 27 '11 at 07:04
  • They do different things. There are many article on SO that relate to just this ... my advice is to *not* roll your own. –  Dec 27 '11 at 07:06
  • http://stackoverflow.com/questions/3191690/how-long-should-my-password-salt-be-and-is-sha-256-good-enough , http://stackoverflow.com/questions/401656/secure-hash-and-salt-for-php-passwords –  Dec 27 '11 at 07:09

3 Answers3

3

Use bcrypt. Don't use md5() or encode().

alex
  • 479,566
  • 201
  • 878
  • 984
  • +1 I have saved that bookmark for future ... directing. Everything I would have said, but much better, and without me having to re-say it :) However, bcrypt doesn't inherently support an HMAC/"server secret", which, if separate from the hashes, can add another layer of difficulty for an attacker. –  Dec 27 '11 at 06:49
  • There is also [scrypt](http://www.tarsnap.com/scrypt.html) ... not nearly as popular (really, anyone heard of it?), but based on similar ideas to bcrypt: stopping brute-force. –  Dec 27 '11 at 07:11
2

Here is a brief explanation of what each one does:

  • Encode: Encodes (does not encrypt) the string, and can also be decoded. Anyone who can run decode can get access to the password.
  • MD5: Encrypts the string, and is not supposed to be decryptable. The way you determine whether the password is correct is by comparing the two encrypted strings. However, the algorithm is badly flawed and should not be used.
  • SHA2 (string, 512): Encrypts the string, and is not supposed to be decryptable. The way you determine whether the password is correct is by comparing the two encrypted strings. This algorithm is far, far stronger than MD5.

When it comes to using hashes (one-way encryption), it is a good practice to salt your hashes. This prevents potential attackers from using a database of known hashes to rapidly discover passwords.

In short, encode is totally insecure, MD5 is insecure, and SHA2(string, 512) with salt is not a bad choice.

Andrew Odri
  • 8,868
  • 5
  • 46
  • 55
  • My bad, although it is colloquially known as one way encryption (RSA calls it that on occasion: http://mexico.rsa.com/rsalabs/staff/bios/ajuels/publications/euro/Euro.pdf). If you read the last part I mentioned that encode was totally insecure :) – Andrew Odri Dec 27 '11 at 06:46
  • Neither MD5 nor SHA-x encrypt. They are one-way hash functions and serve a different purpose. The "issue" with MD5 is that the effective strength has been reduced: but it is still a one-way algorithm. SHA-x and MD5 suffer from the *same issue* however, of *being too fast and easy to brute-force*. The value of the salt depends upon the *size* of domain and nonce-like characteristics. (And does nothing vs. brute force.) –  Dec 27 '11 at 06:48
  • Bruce Schneier, who is typically a pretty trustworthy source of information when it comes to cryptoanalysis, has a definitive write up about the SHA-1 flaws, and computational power it would take to break this as well as the computational power and what is available with SHA-2: http://www.schneier.com/blog/archives/2005/02/cryptanalysis_o.html. I think I am going to stick with SHA2(string, 512) being far, far stronger than MD5, and not a bad choice :P – Andrew Odri Dec 27 '11 at 06:57
  • It's still an awful choice for this problem. See alex's answer for why. Generally "multiple rounds" are suggested, but then you're just talking about a home-rolled "variant" of bcrypt. Note that for brute-force the *size of the input domain* and the *speed of the hash* plays a huge factor -- most passwords are, what, 4-8 characters? The article talks about collisions, which are great for forging documents/binaries signatures, but not *terribly* relevant to passwords, a good bit due to crummy passwords. –  Dec 27 '11 at 06:58
  • Better yet, let's not repeat history :P http://stackoverflow.com/questions/1561174/sha512-vs-blowfish-and-bcrypt – Andrew Odri Dec 27 '11 at 07:03
  • Touché -- social "engineering" ftw :) –  Dec 27 '11 at 07:15
0

Algorithms like MD5, SHA1 are not encrypting but hashing the source text of any length to a output string of fixed length. And donot use them to protect your user's password.

Let me tell you a good way. Ask for a secret question. Answer of this secret question will be the secret key of our password encryption algorithm. Now you use MD5 or whatever to hash this answer. Now encrypt the password using this hash as secret key (use symmetric key algorithms such as AES). This will help in a way, so that if the user forgets his password, then only that user and no one else will be able to recover the password.

Acn
  • 1,010
  • 2
  • 11
  • 22