md5 Alternative
We all know md5 is no more secure now a days... And many developers using md5 in their DB to detect and secure the password method.. So why we suggest our users to use spacial characters in their password.
But Its really bothered user's freedom in our sites.
So why this thread is created to post your own created method as the alternative of md5
Here is an Example :
now 1000 is a somehow a fast processed password, i mean it won't take much time to encode it... in most cases about 100-200ms (depends..)
however if you put 10000 (10 000 times encrypted with hash sha512 and md5 ) that would take about 1 second to process
Salt isn't just preventig hash-value pair reuse.
Salt is for preventig rainbow table attacks. Rainbow tables are only useful for short passwords (6-8-10 characters, or so). If you salt your passwords, you increase the length of the hashed string dramatically, so they will not match anything in the rainbow table.
The fact, that 8 character length passwords can be bruteforced with a PC is not the fault of the MD5 algorithm. sha1, or whatever hashes can be broken in a same way (brute force). The problem is that these hashes a "too fast". They can ben done billions of times per second.
To prevent (slow down) brute force attacks, one can construct a hash function that is very hard to compute. This can be done easily:
This is an implementation of the PBKDF2 function wich is described in the PKCS #5 v2 document.
Another Process
Added after 2 minutes:
Thank You All..
But Its really bothered user's freedom in our sites.
So why this thread is created to post your own created method as the alternative of md5
Here is an Example :
PHP Code:
my own created super password function
<?php
function enchsetenev($toencode,$times) { $salt = 's+(_a*'; for($zo=0;$zo<$times;$zo=$zo+1) { $toencode = hash('sha512',salt.$toencode); $toencode = md5($toencode.$salt); } return $toencode; } ?>
how to use it ?
simply..
<? $password="[B][COLOR=Red]this password is super ultra mega secure and noone would decrypt it for atleast 10 years.. or even alot more[/COLOR][/B]"; $supersecurepassword=enchsetenev($password,1000); ?>
now 1000 is a somehow a fast processed password, i mean it won't take much time to encode it... in most cases about 100-200ms (depends..)
however if you put 10000 (10 000 times encrypted with hash sha512 and md5 ) that would take about 1 second to process
Salt isn't just preventig hash-value pair reuse.
Salt is for preventig rainbow table attacks. Rainbow tables are only useful for short passwords (6-8-10 characters, or so). If you salt your passwords, you increase the length of the hashed string dramatically, so they will not match anything in the rainbow table.
The fact, that 8 character length passwords can be bruteforced with a PC is not the fault of the MD5 algorithm. sha1, or whatever hashes can be broken in a same way (brute force). The problem is that these hashes a "too fast". They can ben done billions of times per second.
To prevent (slow down) brute force attacks, one can construct a hash function that is very hard to compute. This can be done easily:
PHP Code:
<?php
$hash = $password . $salt; for ( $i = 0; $i < 10000; $i++ ) { $hash = md5( $hash ); }
//Store your $hash
?>
Another Process
PHP Code:
<?php function encrypt($v1,$v2=''){ $token = md5(sha1(crc32(md5(base64_decode($v1.$v2)).$v2))); return $token; }?>
Here's a better password checker that tries to guess the password in a certain order. I found that the random guess ones would never do anything more than 3-4 characters because random guesses are never guaranteed to touch all the guesses.
This is a sequential password guesser, it needs to know the length of the target password. Maybe someone can add on variable length passwords. All you have to do is adjust the fingerprint size and reset it to all zeros.
it can guess "foo" as the password in 6 seconds on 1.7Ghz athlon (bogomips: 3504)
//// Use Pass word Genarator
<?php set_time_limit(0); $_GET['password'] = $argv[1]; $_GET['length'] = @$argv[2]; function randomkeys($length) { $pattern = "1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZ"; $pattern .= "abcdefghijklmnopqrstuvwxyz"; $key = $pattern{rand(0,61)}; for($i=1;$i<$length;$i++) { $key .= $pattern{rand(0,61)}; } return $key; } function getpwguess($length, &$fingerprint) { static $allchars = array( '1','2','3','4','5','6','7','8','9','0', 'a','b','c','d', 'e','f','g','h','i','j', 'k','l','m','n', 'o','p','q','r','s','t','u','v', 'w','x','y','z','A','B','C', 'D','E','F','G','H','I','J','K','L', 'M','N','O','P','Q','R','S','T', 'U','V','W','X','Y','Z'); $guess = array(); $next = false; foreach ($fingerprint as $index => $fing) {
if ($next == true) {
$fingerprint[$index]++;
$fing++;
$next = false;
}
if ($fing == 62) {
$fingerprint[$index] = 0;
$fing = 0;
$next = true;
$guess[] = $allchars[$fing];
continue;
}
$guess[] = $allchars[$fing];
}
$fingerprint[0]++;
return implode('',$guess);
}
if (isset($_GET['password'])){
$password = $_GET['password'];
$password_length = strlen($password);
}
else
{
$password_length = 3;
if (isset($_GET['length'])){
$password_length = $_GET['length'];}
$password = randomkeys($password_length);
}
echo "Password is: $password \n";
$password = md5($password);
$attempts = 0;
$start = microtime(true);
$guess = '';
$fingerprint = array();
for ($x=0; $x < $password_length; $x++) { $fingerprint[$x] = 0; } while ($password != $guess){ $rndm = getpwguess($password_length,$fingerprint); $guess = md5($rndm); $attempts++; //echo "tried $rndm... (skipping 100)\r\n"; if ($attempts % 1000 ==0 ) { echo "tried $rndm... (skipping 1000)\r\n"; } //if the last bucket is 62, then we've tried them all if ($fingerprint[ ($password_length-1)] == 62) { echo "Tried every combination, maybe password isn't ".$password_length." chars long?\n"; //here is where you would increase password length, re-init fingerprint array // if you didn't know the target length. } } $end = microtime(true); $time = $end-$start; echo "Password guessed ('".$rndm."') correctly after $attempts attempts and $time seconds"; ?>
Thank You All..
Comment