I know this isn’t a great title and i’m not expecting anyone to actually know the specifics.
I’m referring specifically to PHP’s md5 function that changes the password to a 32bit string, i think…
Anyway, If I have a password such as ‘typewriter’ will the md5 function always encode it to the exact same string? If so, surely it is very easy to just work out what all the words are encoded to and find someone’s password? If there’s a function to encode a word surely there could be a function to quickly decode it…
What is the safest way to encode a users password, i read about using the salt method to append another string to the users password, but surely if they can decode the password they can decode the salt to?
Thanks For Your Time, i look forwards to your suggestions.
P.S not sure it’s going to be easy to award a winner for this as its a fairly open question.
Hashing of passwords using one-way-functions that produce a deterministic result from any an string, which is the whole point of hashing: Rather than storing the value you store some derived message and check if the hash of the user input matches the hash stored in the user repository.
The problem you suggests – that someone creates a dictionary containing all words and their hash values which enables reverse lookup of hashes is certainly a problem which must be addressed and the reason why many login system requires you to choose non-word passwords.
The other factor of a good hashing function must be that even minor changes in the input (the password) causes major changes in the hash. This way adding a number or chaning casing will produce drastically new outputs and the work of creating a dictionary will be much harder. An example using md5 hashing:
password: 5f4dcc3b5aa765d61d8327deb882cf99
passworD: a61f3f0aee2e87cf0571ca70afe289d2
Put rest assured that a dictionary containing “test” “password” “mommy123” etc already exists.
Besides md5 is not a very secure hash function, using SHA1 or SHA-256 might be better choices.