Under dem veckor som gått så verkar det låta som att dem flesta i WN rekommenderar sha1+salt för inloggningssystem.
Vissa pratar om lite mer avancerade tillägg och kombinationer vilket jag inte greppar för att kunna bygga själv.
Det här är den nivå jag klarar av, räcker det eller är jag körd om jag använder den i mitt inloggningssystem?
http://www.phpit.net/article/handling-pass...rds-safely-php/
Jag pratade med folk utanför Sverige som inte verkar ha upplevt våra hackersstormar så dem tycker att md5 fortfarande är brukligt för inloggningar. Bland annat menade en snubbe att md5 är likvärdigt med sha1+salt ur ett visst perspektiv ja ni kan ju läsa själva hur han förklarade ni som kan kryptologi. Så åter till min huvudfråga räcker det med att jag implementerar sha1+salt?
Citat:
Before you go and blindly implement something because you read that you should, try and understand what you are doing. My disclaimer is that I am not a security professional, and there may be some factual errors below, but I believe all of the concepts to be correct.
Re: MD5 is weak. MD5 is a 1 way encryption algorithm. If you these two lines will always be returned the same way:
PHP Code:
|
Kod:
<?php
echo md5('password') . "\n";
echo md5('god') . "\n";
Citat:
The unfortunate thing about this, is that someone can use a rainbow table of known md5 hashes (one column is the plain text version, the other is the md5) to look up your passwords. My understanding is that MD5 hashes cannot be "cracked", only "guessed". This problem exists for ALL 1 way encryption methods.
Re: Salts. Are basically just strings that are appended to another to make it more secure when encrypting it. If you are going to use a salt, you MUST save it in a secure place. If a hacker finds your salt, the salt is 100% worthless. If you forget your salt, your hashes are 100% worthless. The same salt must be appended to every string (password) that you are going to encrypt, and when you are going to compare hashes together, you must, again, append the same salt to your string (password) or you will never be able to compare the hashes. The following lines of codes will always return the same way:
PHP Code:
|
Kod:
<?php
$secure_salt = 'ASFK234';
echo md5('password' . $secure_salt) . "\n";
echo md5('god' . $secure_salt) . "\n";
Citat:
Truthfully, all salts do is make dictionary attacks (and rainbow tables) useless because you add a level of randomization and hopefully make the password a non-word and unguessable. If your salt is compromised, all the hacker has to do is append the salt to the rainbow table and he/she is back in business.
Re: md5 vs. sha1. Sha1 is more secure (a better algorithm is used to generate the hash), but could suffer from the same vulnerabilities of md5. I don't believe that md5 is worthless, and I think that any vulnerabilities that it has, sha1 will have as well (if not now, eventually).
|