Page 1 of 1

MD5 hash unsecure for passwords!

Posted: Wed Aug 05, 2015 11:05 pm
by Diego
Hello guys,

please read here:
http://php.net/manual/en/faq.passwords. ... s.fasthash
and learn, that md5 is unsuitable for password management.

Sure, your add a salt string, but a bruteforce attack is a easy, cheap and fast solution for cracking that; we don't live in a 486-world anymore...


Have a nice day

Re: MD5 hash unsecure for passwords!

Posted: Thu Sep 03, 2015 10:52 am
by Christopher
It's for sure correct that MD5 nowadays is not the best hashing algorithm for passwords. Feel free to improve CrazyStat, it is open source.

But I consider the way CrazyStat encrypts passwords still secure enough. First, the password only protects your website's statistics and logs. I doubt this information is worth a brute-force attack for most websites using CrazyStat.
Second, CrazyStat hashes the password on the client side if the browser supports javascript (and warns you, if it does not). This means the password is never sent in cleartext over the network (without the user being warned beforehand). This is by far more secure than most login mechanisms of modern scripts. E.g. Piwik sends passwords unencrypted over the network, thus allowing easy man-in-the-middle attacks.

And if an attacker gets access to the salted password stored in config_pass.php, you have got a much bigger problem anyway. The attacker can read protected files on your file system, so he can also read your log files, which is everything the password protects. Why should he bother brute-forcing the has if he can already read the information protected by it? It would only make sense if the password is also used somewhere else.

Of course if I would write this today, I would use another hashing algorithm. I would not write my own password protection, but use a proven one offered by a framework. But for what it protects, I still consider CrazyStat's login mechanism secure enough.