idea about encrypting passwords..

i just had this nice idea, to encrypt users' passwords on your site, make a script that reads the password letter by letter, and make it encrypt every letter into MD5 or whatever, so lets say if you had a 10 chars length password, you'll have 10 md5 hashes next to eachother….and then MD5 the result.. so let's say my password is "god", the script will do this:

g=b2f5ff47436671b6e533d8dc3614845d o=d95679752134a2d9eb61dbd7b91c4bcc d=8277e0910d750195b448797616e091ad

g+o+d=b2f5ff47436671b6e533d8dc3614845dd95679752134a2d9eb61dbd7b91c4bcc8277e0910d750195b448797616e091ad

hash =460d40de12f6e6b2428afc31555ca5e6 (Which is the MD5 of g+o+d)

nice idea, but theres a limit to how long a string can be to be encyrpted with Md5.

i cant remember the exact length, but im sure with a name like longer than a few charachters will have problems when trying to MD5 it.

oh…….. how abt Sha-1 ?

princible applies to all forms of encyrption alithograms.

you could hsh thm in pairs. god hash: g o d hash: hashs(g and o) hash hahs (g+o and d)

g+o+d=020EC4594D7210162684DE2E2A061161D6

That is you take the 3 hashes and add them together. They turn out to be gobbledegoop but it will be a better encyption than trying to encrypt a 96 character password :P

Mr_Cheese wrote: nice idea, but theres a limit to how long a string can be to be encyrpted with Md5.

i cant remember the exact length, but im sure with a name like longer than a few charachters will have problems when trying to MD5 it.

I once calculated that number. If I'm not mistaking it was between 25 and 30. So having a long pass doesn't mean that you're secure.

It could be that the pass of your 55 char pass is also the hash of 'a', and in this case, you could just access your account using a :p

yeah i had this collision question some time ago :P should be somewhere in the forums…

is it possible to put a pwd into md5 and then sha1 or vice versa?

Yep, by doing:

<?
$password="whatever";
$encrypted=md5(sha1($password));
?>

that would md5 the string, then sha1 the md5 hash.

it IS possible to do this (Termed as Double Dutch by some) But the password will be no more secure than if you put into double MD5 or double SHA1. the collision rate is 1 in 340 decillion. this is not that high thinking of how many characters that could be. excluding ASCII characters that would be a maximum of…20 characters. SHA1 is a bit larger with a max of around 25 characters. so a new algorithm would have to be made. perhaps one that has alphanumeric instead of hex.

178,689,910,246,017,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000 would be the number of possible passwords with a 36 character algorithm that was 40 characters long.

MD5 = 340,282,366,920,938,000,000,000,000,000,000,000,000

SHA1 = 1,461,501,637,330,900,000,000,000,000,000,000,000,000,000,000,000

still a rare chance but it does happen to have collisions.

i see

nice idea, but theres a limit to how long a string can be to be encyrpted with Md5.

i cant remember the exact length, but im sure with a name like longer than a few charachters will have problems when trying to MD5 it.

To Mr_Cheese and the_cell, there is no limit on how many characters you can use in any encryption algorithm, ESPECIALLY MD5. MD5 was first made and intended to 'fingerprint' full documents, this could mean an entire book! Aldarhawk is right about the probability of finding collisions, however it is still a pretty good idea because if every character is encrypted and then that entire string is encrypted, it won't be susceptible to brute-force or dictionary attacks. On top of that, the hacker is likely to think it's a normal MD5 hash and go on trying to brute-force it, meanwhile keeping your passwords secure.

I personally use my own encryption algorithm for securing data, but that's just me.

What I'm using for H2H right now is to MD5 the password, salt it, then MD5 it again. That's about as secure as I need it to be - anyone that cracks a password deserves to get into that account :P

Unless it's the US government…:D

Lol, well I'll bet I could ;) If you know the algorithm, it's not hard to crack. I would keep it secret if I was you and perhaps periodically change the key.

Your encryption method has a horrible hole other than the whole "string size limit" crap.

If you encrypted one letter at a time then that means there are very few possible hashes. Let's assume all passwords are alphanumeric- that's 26 letters and 10 numerals, making 36 different possible hashes. Since md5 always makes a 32-character hash, you just have to split it into segments of 32 and say "if it looks like this, it's an A. if it looks like this, it's a B."

A computer program could crack your hash in a matter of seconds.

b1tw1s3 wrote: Your encryption method has a horrible hole other than the whole "string size limit" crap.

If you encrypted one letter at a time then that means there are very few possible hashes. Let's assume all passwords are alphanumeric- that's 26 letters and 10 numerals, making 36 different possible hashes. Since md5 always makes a 32-character hash, you just have to split it into segments of 32 and say "if it looks like this, it's an A. if it looks like this, it's a B."

A computer program could crack your hash in a matter of seconds.

No it couldn't, MD5 can't be reversed like your thinking… Plus, if a hacker found the pass, he would prolly think its a regular MD5 like stated above. If the hacker did figure out the method used, he would need to program a brute force/dictionary attack program which md5'd each individual letter, put those into a string, md5'd that new string, and then compared it to the hash he is tryin to crack. It would take longer than a normal brute force since there would be (password length + 1) md5 encyrptions taking place for each check. Why not make your own algorithm to add up the characters into a single hash and then md5 encrypt this again. Making your own algorithm is probably the most secure way since the possibilities are endless, as long as no1 gets ahold of your key.

Oh XP The final hash is the hash of the conjoined hashes. I was thinking that his final hash was just the conjoined hashes. That's what I get for reading quickly and really early in the morning. Much apologies for the misunderstanding ^^;; But I don't think it would actually take that much longer to brute force it. Because if you think of it, there's a limitted number of possible hashes and therefore multiple different strings would render the same hash. While "b2f5ff47436671b6e533d8dc3614845dd95679752134a2d9eb61dbd7b91c4bcc8277e0910d750195b448797616e091ad" creates the desired hash (460d40de12f6e6b2428afc31555ca5e6), there's probably a 14-letter or less string that makes the exact same one. Sure it may end up being an odd password like "%4Hs*kZ", but it'd still generate the same hash and therefore solve our purposes.

Well, you all can do that I just use a really long password like

ethyl-s-2-diisopropylaminoethylmethylphosphonothiolate

Rebirth wrote: well most sytems now uses Double MD5's or Salted Md5's. While not unbreakable these little things can be some MAJOR security help

Heh, do double dutch, Md5, theh SHA-1. Its DAMN hard to crack.

Bl4ckC4t

I beg to differ with you, Grindordie. IF you use a double md5, you're simply adding another process that the hacker has to go through, only realyl slowing down the bruteforcer, not adding extra security.

On ther other hand, Black Cat's solution involves Sha1. I'd recommend Sha1 with a 256-bit key. That way they'd have to guess the key first.

Okay, time for me to get a word in again…

First:

b1tw1s3 wrote: Sure it may end up being an odd password like "%4Hs*kZ", but it'd still generate the same hash and therefore solve our purposes.

That wouldn't work, because the plaintext would be put through the same algorithm as the website, not simply a single md5 so the results would be different.

Second: Adding a double hash or anything else for that matter DOES increase the security. Adding something extra that cannot be cracked with nothing more than downloading a program will eliminate about 90% of the people out there because they're either to lazy to program something to crack it themselves or they don't know how to in the first place. Also, it may not seem like much of a difference, but the more times a string is hashed, the longer it takes to encrypt that string. . it may be milliseconds, but when you're talking about two billion tries to reach the desired password, it adds up fast.

And like I said before, I would still recommend creating your own algorithm instead of relying on one that has had years for people to find methods on how to break and bypass it.

no dont use a new one you made up. you shouldnt relay on obsurity for security. use a tested scheme.

no dont use a new one you made up. you shouldnt relay on obsurity for security. use a tested scheme.

i am with jake on this one. if you have an old method of anything especially encryption that's been around for a bit and how to decrypt it is publicly known then its way easier to decrypt it than a new one thats unknown. lol. for example most people cant do much of the encryption challenges on HBH. but i bet you $100 that if i told someone how to decrypt it then duh they could and would lol. So back to realisticly, people know how to decrypt MD5's quite easily. So that isn't much of a problem. But if someone like Jake makes their own encryption that is very good and nobody knows how to decrypt it then um…lol i think i would roll with Jake for my encryptions lol. Thats my 2 cents :D

ok fair enough for people with limited rescourse. but for any seriouse work you want kept secret over a long time use a tried and tested method?

http://en.wikipedia.org/wiki/Security_through_obscurity

Bouncer - are you talking about decrypting it other than brute force or a dictionary file?