Question:
Website security question - loop md5 password encryption?
Josh
2013-05-14 20:19:19 UTC
I have a login form that when before sending the data from the form to a php script to be processed it prepares the data to be sent.
Part of the code for when submitting the form encrypts the password into md5 42 times. For example (The code is javascript):
for (var i=0; i < 42; i++){//Encrypts password 42 times
password = MD5(password);
}

Does this make my login form much more secure since it encrypts the password 42 times before the data gets sent - meaning that if the data is intercepted they will have to decrypt an md5 code 42 times - which would be a painstaking amount of time required.
Or does this mean it makes my website more vulnerable to a client because
(a) There is a tool that can decrypt an md5 hash into its original md5 hash (but no further); or
(b) A software could be used to change the amount of times the loop for password encryption will occur making it impossible for the user to login.

Basically - is the code safe from any type of hacker attack, or should I just encrypt the password once, or not at all?
Three answers:
Tweeter & the MonkeyMan
2013-05-15 12:57:31 UTC
You are making some assumptions here that may not be valid.



First, MD5 is easy to break. There are many pieces of free/open source/ warez that provide rainbow tables and or sequential (md5(md5(....(plaintext)...)) chains.



Your method will be hard to keep secret. Many tools exist to scan javascript , some are even browser plug-ins.. your (hash) 42 times method is trivial to discover.. meaning an attacker can then attack using MD5 chains.



MD5 is not that slow to produce 'painstaking' times, except maybe for your users. You, or your user may have to wait 2-3 minutes to run this. For a user logging on, this can be -LONGGGG- and can introduce network timeouts. For an attacker, hours is reasonable and they are fine with that. Add a few specialized chips like GPUs , set up the crack in parallel, generate the appropriate MD5 chains, and count on some luck (like the birthday problem in collisions) .. and "bob's your uncle".



Without making this too complex, why not add complexity by making the input longer.

instead of hashing the same way every time,

1) connect to login screen, website asks for username, then passes a new salt to client

2) client now enters password, your script runs MD5 ( today's salt + username+password)

3) your server already knows the client.. so while (2) is going on, your server can also compute the comparison result.

If you want to increase the attack time, then re-iterate 5 or 6 times.. not so much that your clients are going to see a network timeout .. even from a slow workstation.



(a) and (b) are both true to some extent.

and NO code is completely safe from ANY type of hacker attack.

.. all you can do is make it as complex as possible with the resources you have/ balancing that with the needs of your users
?
2016-08-22 02:19:39 UTC
2
2014-07-17 01:54:07 UTC
confusing situation query in the search engines it will help


This content was originally posted on Y! Answers, a Q&A website that shut down in 2021.
Loading...