[dx4]

I noticed that our passwords aren't encrypted in the 000webhost login area.

This is very risky so I suggest our passwords to be encrypted with md5 or any other similar, discart the password reveal and replace it with password reset in case someone forget this password.

[Leder678]

May I ask you where it isn't encrypted/hidden?

[dx4]

When you forget your password then after you verify yourself, your password is e-mailed to you. This means that the password isn't encrypted.

[pulpfiction]

Wow, this is ridiculous.

It's really not that hard to configure SHA1 or MD5 encryption.

Oh, and MD5 is totally insecure. It can be cracked within seconds, so I recommend sha1.

[Leder678]

SHA1 and MD5 both have the same security level, as the only way to get to know the password is by bruteforcing it.
It's recomended to use a salt for every password encryption mode.

[pulpfiction]

Quote:

Originally Posted by Leder678

the only way to get to know the password is by bruteforcing it.

That's not necessarily true.

With sites such as md5decrypter.co.uk and pirax.de/md5 - you can paste and md5 hash and it will search through billions of decrypted hashes.

Specifically 8.7 billion hashes just on md5decrypter.co.uk.

There are barely any sites that do the same with SHA1 hashes.

But you do have a good point with salting the passwords before they're encrypted.

[pulpfiction]

Edit: That's why MD5 is so insecure compared to SHA1.

[Leder678]

@Pulpfiction:
Bear in mind that websites like that is kinda like "pre-bruteforced" passwords.
All of the hashes they've saved is just a script that generates code, hashes it and then puts it into a database.

I could make the same code for SHA1 within seconds (as I have a combination generator script), run the script for a few months, put the database on the internet, and people may search for hashed passwords the same way.

Ideally, I'd have a powerful VPS or dedicated server, so I wouldn't have to upload giga/terabytes of data after generating the code, but just real-time inserting and publishing it

And after that's done, they'd be at the same security level.

[pulpfiction]

@Leder678

I completely understand your point, but I was just pointing out that there are a lot more existing resources for cracking MD5 hashes - so SHA1 would be more secure (as long as it's salted and the password is strong).

But thanks for your reply, you do have a point.

[Leder678]

If the password is salted
(a long salt with random characters)
and you have a strong password, then the MD5 databases wouldn't be enough (well, except if you have the salt)

When I make a script for saving password, I always do a simple base64_encode, then enter the password, then encode the pwd, inserts the salt, then I do a fair amount of encodings, something like this:

Code:

<?php
 $pwd = base64_encode ($pwd); // I tend to remove this line, as it has no use in most cases.
 $pwd = sha1($pwd);
 $pwd = sha1($salt . $pwd);
 for($x=1;$x<=10;$x++) { //10 is just an example, I change this for every website
  $pwd = sha1($pwd);
 }
?>

But don't take my word that this will be alot better, but it will slow down the hacker/cracker as he needs to figure out how I do my encoding.
If everyone used the same encoding method, a hacker/cracker would have no troubles cracking the code