Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations Rhinorhino on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
md5 vs sha1
- Thread starter janet24
- Start date
sleipnir214
Programmer
MD5 and SHA1 are similar in that they are hash algorithms. They are different in how they calculate their respective hashes and in the number of bits in that hash. MD5 calculates a 128-bit hash and SHA1 a 160-bit hash, so SHA1 should have fewer colllisions.
What have you done that isn't working?
Want the best answers? Ask the best questions! TANSTAAFL!
What have you done that isn't working?
Want the best answers? Ask the best questions! TANSTAAFL!
- Thread starter
- #3
I just changed this line of code from
$md5pass = md5($_POST['pass']);
$md5pass = sha1($_POST['pass']);
I kept the variable $md5pass the same so I wouldn't have to change in the rest of the script. It looks like it's working but doesn't really add anything to the database. Is there something I have to use besides varchar(50) in the database.
I don't totally understand the code because I didn't write it but got it to work by changing the code in certain places. I wasted to use sha1 instead of md5 however. Is there something that needs to be turned on in PHP to use it?
$md5pass = md5($_POST['pass']);
$md5pass = sha1($_POST['pass']);
I kept the variable $md5pass the same so I wouldn't have to change in the rest of the script. It looks like it's working but doesn't really add anything to the database. Is there something I have to use besides varchar(50) in the database.
I don't totally understand the code because I didn't write it but got it to work by changing the code in certain places. I wasted to use sha1 instead of md5 however. Is there something that needs to be turned on in PHP to use it?
- Thread starter
- #4
sleipnir214
Programmer
No, there is nothing that needs to be turned on in PHP to make SHA1 available. And you can quite easily find out what kind of storage the output of PHP's sha1() function uses by the simple expedient of referring to the online manual.
Why would you be changing the hash function used by the
session-handling system? Are we talking about session IDs?
Want the best answers? Ask the best questions! TANSTAAFL!
Why would you be changing the hash function used by the
session-handling system? Are we talking about session IDs?
Want the best answers? Ask the best questions! TANSTAAFL!
- Thread starter
- #6
I used code from the web for a log-in and got it to work but I don't really understand it very much. They used MD5() and I heard that it wasn't very secure and thought I could use SHA1() instead.
Making the login more secure is not that simple I expect but I don't understand enough about coding to make it more secure. It doesn't need to be real secure but I don't want the database to be erased or anything.
There's too much code to post it and I might not even understand your answer.
Making the login more secure is not that simple I expect but I don't understand enough about coding to make it more secure. It doesn't need to be real secure but I don't want the database to be erased or anything.
There's too much code to post it and I might not even understand your answer.
sleipnir214
Programmer
[Isn't] very secure" is a term that is relative to your requirements.
This code:
produces the output:
[tt] MD5: apple: 1f3870be274f6c49b3e31a0c6728957f
MD5: Apple: 9f6290f4436e5a2351f12e03b6433c3c
SHA1: apple: d0be2dc421be4fcd0172e5afceea3970e2f3d940
SHA1: Apple: 476432a3e85a0aa21c23f5abd2975a89b6820d63[/tt]
Notice that the sha1() function produces a hash that is a much bigger than the md5() hash. This means that there are more possible values sha1() can output than md5(). More possible values should decrease the chances of a collision, that is situations where two different input strings produce the same hash.
Want the best answers? Ask the best questions! TANSTAAFL!
This code:
Code:
<?php
print ' MD5: apple: ' . md5('apple');
print "\n";
print ' MD5: Apple: ' . md5('Apple');
print "\n";
print 'SHA1: apple: ' . sha1('apple');
print "\n";
print 'SHA1: Apple: ' . sha1('Apple');
?>produces the output:
[tt] MD5: apple: 1f3870be274f6c49b3e31a0c6728957f
MD5: Apple: 9f6290f4436e5a2351f12e03b6433c3c
SHA1: apple: d0be2dc421be4fcd0172e5afceea3970e2f3d940
SHA1: Apple: 476432a3e85a0aa21c23f5abd2975a89b6820d63[/tt]
Notice that the sha1() function produces a hash that is a much bigger than the md5() hash. This means that there are more possible values sha1() can output than md5(). More possible values should decrease the chances of a collision, that is situations where two different input strings produce the same hash.
Want the best answers? Ask the best questions! TANSTAAFL!
- Thread starter
- #8
If they work relatively the same why can't I just replace it in the code?
$md5pass = md5($_POST['pass']);
$md5pass = sha1($_POST['pass']);
This code I used is posted on the web
After the code people wrote in saying it wasn't secure enough. I don't need it to be real secure. Somebody mentioned that he shouldn't have used md5() and that people often use the same password as they do on other sites and somebody could get the password. I thought I could replace the md5() with sha1() but it doesn't enter the data in the database when I do that.
$md5pass = md5($_POST['pass']);
$md5pass = sha1($_POST['pass']);
This code I used is posted on the web
After the code people wrote in saying it wasn't secure enough. I don't need it to be real secure. Somebody mentioned that he shouldn't have used md5() and that people often use the same password as they do on other sites and somebody could get the password. I thought I could replace the md5() with sha1() but it doesn't enter the data in the database when I do that.
you can just replace it in the code. remember to change the relevant line in both register.php and login.php.
users created with passwords created with md5 will not be able to access their accounts after you have changed these lines. you will need to reset their passwords.
the lack of 'security' that i would consider is simply that there are a lot of sites out there that are storing reverse md5 hashes whereas i have not seen so many that do the same for sha1. still, the usual rules about using strong passwords should apply and if your users do so i think it rather unlikely that their md5 hash of their strong password would find itself on to the internet.
users created with passwords created with md5 will not be able to access their accounts after you have changed these lines. you will need to reset their passwords.
the lack of 'security' that i would consider is simply that there are a lot of sites out there that are storing reverse md5 hashes whereas i have not seen so many that do the same for sha1. still, the usual rules about using strong passwords should apply and if your users do so i think it rather unlikely that their md5 hash of their strong password would find itself on to the internet.
This raises a good point. However, this is not such a serious concern if you use a salted hash.jpadie said:
Adding salt to your hash simply means appending a randomly chosen string to your input value before calculating the hash value. In this example, the user table in the database would contain an additional salt column, which would contain a randomly computed string. Instead of just calculating the MD5 hash of the user-entered password, you would append the salt string to the end of the password and calculate the hash value of the combined string.
This effectively prevents dictionary attacks based on the MD5 hash because, while the password itself might appear in a lookup table, the combined password and random string is not likely to. And if the attacker is able to obtain the salt value for a particular use, he still has to recompute his lookup table to include the salt. And since each user has a different sale, he would have to do this separately for each one, significantly increasing the cost of the attack.
As for the security of MD5 per se, a collision attack against it and a related family of algorithms was discovered in 2005. However, I believe that attack requires that you know the original plaintext, and so is not a big concern for this type of usage.
The real problem raised by the comments in the linked article was the technique of storing the MD5 hash of the password in a cookie. As jpadie pointed out, a simple MD5 hash of the password is susceptible to a dictionary attack. Combine that with the fact that it is relatively easy for an attacker to read the browser's cookies and stealing a password becomes that much easier.
- Thread starter
- #11
- Status