Ccna final exam - java, php, javascript, ios, cshap all in one. This is a collaboratively edited question and answer site for professional and enthusiast programmers. It's 100% free, no registration required.
Wednesday, May 16, 2012
It`s possible to break a sha1(md5("password")) password?
This is the question: It`s possible to break a sha1(md5('password')) password ?
"The security of the MD5 hash function is severely compromised."
So adding MD5 to a SHA1 is not gonna make your thing more secure. I would even say that hashing an already hashed thing is not gonna make it more secure either.
A common mechanism that many people use for storing passwords is a salt encription over a hashed string.
Since no one answered the original question: Yes, it is possible.
As to the second question: md5(sha1('password')) will actually reduce security compared to just using sha1 because the hash size will be reduced. And the other way around doesn't help either.
md5 will get you a 32 characters string. sha1 will get you a 40 characters srings.
But, in both cases, those strings will only contain hexadecimal characters, which means only 16 possible values for each position : 0-9 and a-f
I don't think using md5+sha1 (no matter in which order you call those) is such a good idea : using only one of those on your password will probably be safer.
Just consider :
You can have, say, at least 8 characters in your password Each of those 8 characters can be a letter (upper or lower case), a number, a special character ; which means at least something like 75 possibilities for each position
Don't you think that would make more possible combinations than 32 hexadecimal characters ?
Just use one hashing function, and salt your password.
multiple hashing doesnt further secure your password. just use a secure, salted hash.
ReplyDeletecheck out http://php.net/hash
According to Wikipedia's MD5 article:
ReplyDelete"The security of the MD5 hash function is severely compromised."
So adding MD5 to a SHA1 is not gonna make your thing more secure. I would even say that hashing an already hashed thing is not gonna make it more secure either.
A common mechanism that many people use for storing passwords is a salt encription over a hashed string.
Since no one answered the original question: Yes, it is possible.
ReplyDeleteAs to the second question: md5(sha1('password')) will actually reduce security compared to just using sha1 because the hash size will be reduced. And the other way around doesn't help either.
Always use salting!
md5 will get you a 32 characters string.
ReplyDeletesha1 will get you a 40 characters srings.
But, in both cases, those strings will only contain hexadecimal characters, which means only 16 possible values for each position : 0-9 and a-f
I don't think using md5+sha1 (no matter in which order you call those) is such a good idea : using only one of those on your password will probably be safer.
Just consider :
You can have, say, at least 8 characters in your password
Each of those 8 characters can be a letter (upper or lower case), a number, a special character ; which means at least something like 75 possibilities for each position
Don't you think that would make more possible combinations than 32 hexadecimal characters ?
Just use one hashing function, and salt your password.