Skilled Illusionist
- Joined
- Apr 20, 2009
- Messages
- 351
- Reaction score
- 212
The problem with hashing multiple times is the output format.
Usually MD5 hashes are represented as 32 digits hexadecimal numbers.
If you happen to have a rainbow table with the MD5 hash of all 32 digits hexadecimal numbers (that's hypothetical, we all know people hacking in PT just press a button on a program they didn't make), you'll speed up the "dehashing" of all the successive hashes and it'll come down to cracking the first hash, the one you did on the clear password. Key-stretching is a good way to slow down the attacker but doing it on a static length with a static set of characters is rendered useless as soon as the attacker uses a dictionnary of precomputed hashes.
IMO hashing once is more than enough, especially if you use the SHA-2 family as suggested. You could even use the less power hungry SHA-1 or MD5 seriously, who's going to brute force a PT server ? An MD5 ASCII rainbow table with data as long as 9 characters already costs 1000USD if you don't want to spend years computing it yourself. Just enforce passwords longer than 10 on your registration page and you're set for a couple years .
While I'm at it, I'll add a few things.
First MD5 isn't unsafe in a way that you can magically find the plain text from a hash. By definition a hash is a destructive operation, you can't go back period.
What makes a hash function secure can be defined by how hard it is to generate collisions.
There are 2 types of collisions:
- the weak collision: if you have a hash result K, it's hard to generate a document M such that hash(M) = K
- the strong collision: it's hard to generate two documents M and M' such that hash(M) = hash(M')
If you use MD5 only to store your passwords in an obfuscated way, I think it's still valid. Nobody will find the plain password unless brute forcing for a long time, especially if you enforce a minimum length for your passwords.
However, MD5 is unsafe for signing certificates for instance, because from a valid certificate, with a valid signature (K), you can generate a rogue certificate M, with complex padding and sign it with the signature K. The certificate will appear valid to any client receiving it because hash(M) = K O:
Toodles.
Usually MD5 hashes are represented as 32 digits hexadecimal numbers.
If you happen to have a rainbow table with the MD5 hash of all 32 digits hexadecimal numbers (that's hypothetical, we all know people hacking in PT just press a button on a program they didn't make), you'll speed up the "dehashing" of all the successive hashes and it'll come down to cracking the first hash, the one you did on the clear password. Key-stretching is a good way to slow down the attacker but doing it on a static length with a static set of characters is rendered useless as soon as the attacker uses a dictionnary of precomputed hashes.
IMO hashing once is more than enough, especially if you use the SHA-2 family as suggested. You could even use the less power hungry SHA-1 or MD5 seriously, who's going to brute force a PT server ? An MD5 ASCII rainbow table with data as long as 9 characters already costs 1000USD if you don't want to spend years computing it yourself. Just enforce passwords longer than 10 on your registration page and you're set for a couple years .
While I'm at it, I'll add a few things.
First MD5 isn't unsafe in a way that you can magically find the plain text from a hash. By definition a hash is a destructive operation, you can't go back period.
What makes a hash function secure can be defined by how hard it is to generate collisions.
There are 2 types of collisions:
- the weak collision: if you have a hash result K, it's hard to generate a document M such that hash(M) = K
- the strong collision: it's hard to generate two documents M and M' such that hash(M) = hash(M')
If you use MD5 only to store your passwords in an obfuscated way, I think it's still valid. Nobody will find the plain password unless brute forcing for a long time, especially if you enforce a minimum length for your passwords.
However, MD5 is unsafe for signing certificates for instance, because from a valid certificate, with a valid signature (K), you can generate a rogue certificate M, with complex padding and sign it with the signature K. The certificate will appear valid to any client receiving it because hash(M) = K O:
Toodles.
Last edited: