md5 Alternative

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    md5 Alternative

    We all know md5 is no more secure now a days... And many developers using md5 in their DB to detect and secure the password method.. So why we suggest our users to use spacial characters in their password.
    But Its really bothered user's freedom in our sites.
    So why this thread is created to post your own created method as the alternative of md5

    Here is an Example :

    PHP Code:
     my own created super password function 

    <?php 
    function enchsetenev($toencode,$times) {     $salt 's+(_a*';     for($zo=0;$zo<$times;$zo=$zo+1)     {         $toencode hash('sha512',salt.$toencode);         $toencode md5($toencode.$salt);     }     return $toencode; }  ?> 

    how to use it ? 
    simply.. 
    <?  $password="[B][COLOR=Red]this password is super ultra mega secure and noone would decrypt it for atleast 10 years.. or even alot more[/COLOR][/B]";  $supersecurepassword=enchsetenev($password,1000);  ?>


    now 1000 is a somehow a fast processed password, i mean it won't take much time to encode it... in most cases about 100-200ms (depends..)

    however if you put 10000 (10 000 times encrypted with hash sha512 and md5 ) that would take about 1 second to process


    Salt isn't just preventig hash-value pair reuse.

    Salt is for preventig rainbow table attacks. Rainbow tables are only useful for short passwords (6-8-10 characters, or so). If you salt your passwords, you increase the length of the hashed string dramatically, so they will not match anything in the rainbow table.

    The fact, that 8 character length passwords can be bruteforced with a PC is not the fault of the MD5 algorithm. sha1, or whatever hashes can be broken in a same way (brute force). The problem is that these hashes a "too fast". They can ben done billions of times per second.

    To prevent (slow down) brute force attacks, one can construct a hash function that is very hard to compute. This can be done easily:

    PHP Code:
    <?php 
    $hash 
    $password $salt;  for ( $i 0$i 10000$i++ ) {   $hash md5$hash ); }  
    //Store your $hash 
    ?>
    This is an implementation of the PBKDF2 function wich is described in the PKCS #5 v2 document.


    Another Process


    PHP Code:
    <?php function encrypt($v1,$v2=''){     $token md5(sha1(crc32(md5(base64_decode($v1.$v2)).$v2)));     return $token; }?> 






    Here's a better password checker that tries to guess the password in  a certain order.  I found that the random guess ones would never do  anything more than 3-4 characters because random guesses are never  guaranteed to touch all the guesses. 

    This is a sequential password guesser, it needs to know the length  of the target password.  Maybe someone can add on variable length  passwords.  All you have to do is adjust the fingerprint size and reset  it to all zeros. 

    it can guess "foo" as the password in 6 seconds on 1.7Ghz athlon (bogomips: 3504) 



    //// Use Pass word Genarator 


    <?php  set_time_limit(0);  $_GET['password'] = $argv[1];  $_GET['length'] = @$argv[2];   function randomkeys($length)  {      $pattern "1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZ";      $pattern .= "abcdefghijklmnopqrstuvwxyz";      $key  $pattern{rand(0,61)};      for($i=1;$i<$length;$i++)      {          $key .= $pattern{rand(0,61)};      }      return $key;  }   function getpwguess($length, &$fingerprint) {      static $allchars = array( '1','2','3','4','5','6','7','8','9','0''a','b','c','d''e','f','g','h','i','j''k','l','m','n''o','p','q','r','s','t','u','v''w','x','y','z','A','B','C''D','E','F','G','H','I','J','K','L''M','N','O','P','Q','R','S','T''U','V','W','X','Y','Z');     $guess = array();     $next false;     foreach ($fingerprint as $index => $fing) { 

            if (
    $next == true) { 
                
    $fingerprint[$index]++; 
                
    $fing++; 
                
    $next false
            } 

            if (
    $fing == 62) { 
                
    $fingerprint[$index] = 0
                
    $fing 0
                
    $next true
                
    $guess[]  = $allchars[$fing]; 
                continue; 
            } 

            
    $guess[]  = $allchars[$fing]; 
        } 
        
    $fingerprint[0]++; 

        return 
    implode('',$guess); 

     } 
      
     if (isset(
    $_GET['password'])){ 
     
    $password $_GET['password']; 
     
    $password_length strlen($password); 
     } 
     else 
     { 
     
    $password_length 3
     if (isset(
    $_GET['length'])){ 
     
    $password_length $_GET['length'];} 
     
    $password randomkeys($password_length); 
     } 
      
     echo 
    "Password is: $password \n"
     
    $password md5($password); 
     
    $attempts 0
     
    $start microtime(true); 
     
    $guess ''
     
    $fingerprint = array(); 
     for (
    $x=0$x $password_length$x++) {      $fingerprint[$x] = 0;  }   while ($password != $guess){     $rndm getpwguess($password_length,$fingerprint);     $guess md5($rndm);     $attempts++;      //echo "tried $rndm... (skipping 100)\r\n";     if ($attempts % 1000 ==0 ) {      echo "tried $rndm... (skipping 1000)\r\n";     }     //if the last bucket is 62, then we've tried them all     if ($fingerprint[ ($password_length-1)] == 62) {         echo "Tried every combination, maybe password isn't ".$password_length." chars long?\n";         //here is where you would increase password length, re-init fingerprint array         //  if you didn't know the target length.     }   }  $end = microtime(true);  $time = $end-$start;  echo "Password guessed ('".$rndm."') correctly after $attempts attempts and $time seconds";  ?>
    Added after 2 minutes:

    Thank You All..
    Last edited by BioBeo; 12.06.11, 03:27.

    #2
    When a combination lock is easily breakable, none will think about to unlock the lock by trying to match the right combination.
    Similarly, hackers will not think about breaking the password (encoded with one hash function like md5 or a complex encoding ), when there are other ways to hack the site. To protect an account, simply track the ip, browser if possible cookies while log in. When any of those values will mismatch to the current values, account will be automatically locked, and an unlock code will be automatically sent to the account holder's email address. Example: rapidshare.com. Its a pretty simple but effective solution for account protection.
    Last edited by rukiya; 05.09.10, 13:11.

    Comment


      #3
      Yeah...But Do you know there are many users using the ISP which change the IPs randomly ??? Like my one... so if your site is dynamic and obtain database then It's secure to create your own password encryption function.. as I have done... because brute force attack and the dictionary word match will be totally useless then... :p

      Comment


        #4
        md5 is stil standard. It depends on d site owner to advice users to avoid dictionary words.

        Comment


          #5
          Originally posted by mobileGIGS View Post
          md5 is stil standard. It depends on d site owner to advice users to avoid dictionary words.
          man why users will be panic on that thing... If you build a smart site then It should be User Friendly and Highly Secured...
          Last edited by BioBeo; 18.09.10, 17:41.

          Comment


            #6
            hehehe nice one buddy, i use my own password encryption in my site also the session ID's

            Comment


              #7
              Originally posted by BioBeo View Post
              man why users will be panic on that thing... If you build a smart site then It should be User Friendly and Highly Secured...
              And u think the encryption u code up can stop anyone? Hypothetical situation, I maybe upload a shell grab ur script, inject ur database, get the passwords then reverse ur stupid encryption. Thats just one way. Ther are many other ways. But if they r md5'd then i would be looking for an md5 dictionary, then hoping the password is a dictionary word. You only use reversible encryption so u can read ppls passwords. Freaks.

              Added after 6 minutes:

              ...but its ur site, ur decision though.
              Last edited by CreativityKills; 02.10.10, 16:38.

              Comment


                #8
                Originally posted by CreativityKills View Post
                And u think the encryption u code up can stop anyone? Hypothetical situation, I maybe upload a shell grab ur script, inject ur database, get the passwords then reverse ur stupid encryption. Thats just one way. Ther are many other ways. But if they r md5'd then i would be looking for an md5 dictionary, then hoping the password is a dictionary word. You only use reversible encryption so u can read ppls passwords. Freaks.

                Added after 6 minutes:

                ...but its ur site, ur decision though.

                What you think.. ? Can you decrypt a string which based on this function ?



                my own created super password function

                <? function enchsetenev($toencode,$times) { $salt = 's+(_a*'; for($zo=0;$zo<$times;$zo=$zo+1) { $toencode = hash('sha512',salt.$toencode); $toencode = md5($toencode.$salt); } return $toencode; } ?>

                how to use it ?
                simply..
                <? $password="this password is super ultra mega secure and noone would decrypt it for atleast 10 years.. or even alot more"; $supersecurepassword=enchsetenev($password,1000); ?>

                If you can then I think I should CUT my Fingers by which I have coded this..
                Last edited by BioBeo; 06.11.10, 16:09.

                Comment


                  #9
                  Theres md5 there so it doesnt count. U r using PHP's native encryption soo...

                  Comment


                    #10
                    Originally posted by CreativityKills View Post
                    Theres md5 there so it doesnt count. U r using PHP's native encryption soo...
                    So it's unbreakable buddy !

                    Comment


                      #11
                      yeah, its unbreakable. One question though, you have to loop md5, sha512, hash a thousand times each time you want to set and get password? Thats ridiculous, not that i dont think its unbreakable, but there are more efficient ways to achieve that.

                      Comment


                        #12
                        Originally posted by CreativityKills View Post
                        yeah, its unbreakable. One question though, you have to loop md5, sha512, hash a thousand times each time you want to set and get password? Thats ridiculous, not that i dont think its unbreakable, but there are more efficient ways to achieve that.
                        Bro I have coded this over a year ago.. but now I am using more smart and more secure which is impossible to decrypt and which takes 1.5 ms to encrypt.. But I will share it here too when I will code the new version of it...

                        Comment


                          #13
                          look if i were u i wouldnt be too bothered about password encryption. Anyone smart enuff to sqli ur ass is defo smart enuff to still login to ur account without a password, registering a new accout and copying the encrypted version to the admin user row will give him access, but then again he's most likely to ......
                          PHP Code:
                          DROP `database
                          that dont require a password, does it.

                          Comment


                            #14
                            Originally posted by CreativityKills View Post
                            look if i were u i wouldnt be too bothered about password encryption. Anyone smart enuff to sqli ur ass is defo smart enuff to still login to ur account without a password, registering a new accout and copying the encrypted version to the admin user row will give him access, but then again he's most likely to ......
                            PHP Code:
                            DROP `database
                            that dont require a password, does it.
                            If it's so easy then sites like facebook twitter can't run for so long.. and I am not talking about security holes cause it could be prevent and about xss you should check it with this software.. Acunetix Web Vulnerability Scanner 7 and as I am having a big thought behind my project so why I am always give max priority for security and every one must..

                            Comment


                              #15
                              okay suit yourself. Was just an advice. There are better ways to handle that

                              Comment

                              Working...
                              X