[General] Why do people insist on using md5?

[Pieman]

I just don't get it. I've been working a lot with scripts not written by me recently and I noticed that almost all of them used md5 when something needed hashing, which confuses me. Why would anyone still use the old vulnerable md5 hash when there is far superior alternative available that requires no extra effort at all? Sha1 to be precise.

I personally always use sha1 when hashing something, I sometimes even use a double hash when it concerns important data, like passwords stored in cookies for example. Is it just me being paranoid? Or is it that people are just too lazy to update their code? (Which I would still find quite weird because sha1 wasn't created much later than md5)

Anyone who is able to give a rational explanation for this?

 

[Mr.Lucifer]

MD5 has become kind of a standard, and the first thing that comes in mind when someone mentions hashing. Since it's so widely used I assume people believe MD5 is the best.

 

[Cask]

If you're going to use MD5 at least add a salt ffs.

 

[Superfun]

i always do sha1(salt + md5(salt2 + password,or,so))
since md5 gets cracked all the time

 

[EliteGM]

Yup, varies for the importance of things.
If something is very important and CAN NOT be revealed you have to make up a really hard combo.

<?php
function encrypt($str)
{
	$str = sha1(md5(crypt(sha1(sha1(md5(md5(sha1(md5(sha1($str))))))), '$1hkjsahj4asdfF')));
	return $str;
}

echo encrypt("admin"). "<br />";
?>

Like that :?

 

[foxx]

i always do sha1(salt + md5(salt2 + password,or,so))
since md5 gets cracked all the time

That's little bit too much tbh

sha1(md5($pass + microtime()))

imo

 

[Superfun]

its much, but it works, other methods too, but i like that way

 

[Cask]

<?php
   
   function string_encryption($string)
   {
      if ($string == "")
      {
         $string = null;
      }
      else
      {
         $string = md5($string . "Iweiof903rWEIO03");
         $string = sha1($string . "UIEFERUIERIFOJE");
      }

      return $string;
   }

?>

 

[cvrdheeraj]

<?php
$msg = "This is some message that I just wrote";
$enc_msg = md5($msg);
print "hash2: $enc_msg <br /><br />";
?>

Output : 81ea092649ca32b5ba375e81d8f4972c

<?php
// Notice that 'message' is missing an 's'
$msg = "This is some mesage that I just wrote";
$enc_msg = md5($msg);
print "hash2: $enc_msg <br /><br />";
?>

OutPut : e86cf511bd5490d46d5cd61738c82c0c

Try both the above examples and check the difference in the MD5 hash. By altering one character, there is a big difference in the MD5 hash, although the result is 32 characters. Thus MD5 is a great tool to check even the minor differences in Data.

I personally always use sha1 when hashing something, I sometimes even use a double hash when it concerns important data, like passwords stored in cookies for example. Is it just me being paranoid? Or is it that people are just too lazy to update their code? (Which I would still find quite weird because sha1 wasn't created much later than md5)

I know that its mandatory to have encryption to Cookies, but if you are using PHP platform, Its always better to make use of PHP Sessions to store sensitive information, rather than using Cookies. They might be chances where Hackers can fool your website, by altering the cookie data.

 

[foxx]

Uh?? And? It would be different with any hash lol, this is sha1 with the same sentences for example.

40e4e88349e028d339f8dcacd4f194449d08e041

6ecb320b0d29260d51d3fb35ccf65840982491af

 

[Cancel Man]

eh, i asked my forum for you.
Here what they said:

you're a douche, what's wrong with md5? it's a one-way cipher and you can't decrypt it. it is in no way "vulnerable". there are however alot of databases out there, which hash words and keep them available for people to lookup. the same would happen with sha1 if it were as popular.

md5 combined with a salt string (a random string of characters) would make something that you simply can't decrypt, and will never be found on a database site such as gdataonline or other variants.

 

[foxx]

Of course you CAN decrypt it, there are laaaaarge md5 databases containing thousands of word. And as a friend of mine said, why to call x functions to make a safe hash when you can use just one(sha2, whirlpool).

here this page, http://www.md5decrypter.com/ can for example decrypt most of the lame passwords used nowadays(eg. "pass123").

//edit oups, they actually told you there are databases, ive only read the first sentence

 

[Pieman]

eh, i asked my forum for you.
Here what they said:

Ahum, md5 can be cracked in under 45 minutes. Tell your forum to get their facts straight.

EDIT: Proof that md5 is flawed. http://mail.python.org/pipermail/python-list/2004-September/281621.html Note that they knew 4 years ago that md5 was flawed.

 

[EliteGM]

<?php
    function encrypt($str)
    {
         return sha1(crypt(md5($str), '$1uiyasdghj489hasd'));
    }
    echo encrypt("leetpass");
?>

That will do I guess..

 

[foxx]

<?php
    function encrypt($str)
    {
         return sha1(crypt(md5($str), '$1uiyasdghj489hasd'));
    }
    echo encrypt("leetpass");
?>

That will do I guess..

U

 

[Leo The Fox]

I like using a salt + sha512.

 

[cypher]

I should have watched my mouth and not said/talked shit to DeadlyData telling him things like your are not welcome here because then I become the one who is truly not welcome here.

 

[EliteGM]

Ahum, md5 can be cracked in under 45 minutes. Tell your forum to get their facts straight.

EDIT: Proof that md5 is flawed. http://mail.python.org/pipermail/python-list/2004-September/281621.html Note that they knew 4 years ago that md5 was flawed.

cypher. read that.

 

[MaSch]

you cant get totaly secure but using some salt and sha1 is a pretty good start..

i would like to see your login-checking-function when you crypt like this:

sha1(md5($pass + microtime()))

do you save the microtime in the database?

The Problem is that if the "bad bad cracker" knows how you crypt your passwords he can break it. The question is how long it takes. There is NO DIFFERENCE of bruteforcing md5(sha1(md5(sha1('lol')))) and md5('lol') .. you just need to alter your programm. whatever.. salts are pretty good against rainbow tables and stuff like that because no rainbowtable i know knows words with more than 10 characters... but times your enemy ;-)

 

[foxx]

you cant get totaly secure but using some salt and sha1 is a pretty good start..

i would like to see your login-checking-function when you crypt like this:

sha1(md5($pass + microtime()))

do you save the microtime in the database?

The Problem is that if the "bad bad cracker" knows how you crypt your passwords he can break it. The question is how long it takes. There is NO DIFFERENCE of bruteforcing md5(sha1(md5(sha1('lol')))) and md5('lol') .. you just need to alter your programm. whatever.. salts are pretty good against rainbow tables and stuff like that because no rainbowtable i know knows words with more than 10 characters... but times your enemy ;-)

haha yea, I realised it later

 3.1.2009 
23:34:52 
foxx 
Who 
[COLOR=#800000][B]uh[/B][/COLOR]  3.1.2009 
23:34:53 
foxx 
Who 
[COLOR=#800000][B]wait[/B][/COLOR]  3.1.2009 
23:34:55 
foxx 
Who 
[COLOR=#800000][B]no  sense[/B][/COLOR]  3.1.2009 
23:35:00 
foxx 
Who 
[COLOR=#800000][B]because[/B][/COLOR]  3.1.2009 
23:35:09 
foxx 
Who 
[COLOR=#800000][B]using  microtime in password[/B][/COLOR]  3.1.2009 
23:35:14 
foxx 
Who 
[COLOR=#800000][B]you  wouldn't ever be able[/B][/COLOR]  3.1.2009 
23:35:17 
foxx 
Who 
[COLOR=#800000][B]to  [/B][/COLOR]  3.1.2009 
23:35:23 
foxx 
Who 
[COLOR=#800000][B]get it  again.. for a login etc[/B][/COLOR]

anyway we've come to conclusion that

sha2($pass + "yoursecretword")

would be the best