I just wrote a very small and simple class for the dynamic generation and storage of salt for use in sites which use md5 for hashing information. I wrote a post on my blog about it located here:

http://juanjose.blackfalconsolutions...ic-salt-class/

Let me know what you all think. Thanks.

I'd recommend upgrading your class to use the http://us.php.net/manual/en/function.hash.php function so that all hashes are supported. md5 was compromised awhile back and sha1 is compromised as well (though sha1 is less compromised if you give any weight to "less"). Sooner or later all hashes will be compromised so such a generic class will give you greater forward compatibility.

Hi Jeremy,

Thanks for the notice on that function! My only issue with it is the PHP5 requirement, although I do use PHP5 I can't imagine that all my readers actually use it as well, in fact I know many people who don't.

Maybe create a PHP4 compatible version along side the PHP5 version?

Thanks for the reply.

Fair enough. Use sha1 then as it has been less compromised. lol. "less compromised" -- I wonder what that really means.

I the next couple of years people will effectively have to move to PHP 5 given that 4 is reaching end of life, so I'd definitely create a PHP 5 version for those who want the added security.

I forget the URL but I saw a MD5 search engine. Meaning you put in the hash value and it tells you what text computes to that.

It didn't know any of the hashes I tried. But still my gut feeling tells me its a database with a bunch of saved hash values, and probably a program that generates new ones to stuff in there.

Does anyone know about this? If they build their database from a dictionary then things are okay but if they use random generation then salt won't help.

A quick Google turned up md5.rednoize.com which has both md5 and sha1 . Most of these will have dictionaries of converted words as the complexity to test randomly generated stuff is fairly large. I read something somewhere awhile back that talked about how one of the US govt agencies linked most of their computers together and would then index every word on your computer and every word from every website you've visited and then processed each of those and every combination of them until it was able to hack the password using their full network of computers (much like the seti screen saver thing).

The problem with randomized seeds is that they're not random - they're pseudorandom. This means that if the method for generating the pseudorandom number is known or guessable, then every possible value which could be thrown out by the pseudorandom generator can be tested as a seed for the hashes. For instance, if you base your seed off of the current time which is generally only accurate to the nearest second, then I can test against every second during the timeframe you've been using your computer. If it's based off of mouse movements, then it's a bit more complicated, but there are only so many pixels on a screen, so sooner or later it can be hacked.

Here's the 2 key things to remember for computer security:

1) If it's every entered in plain text or viewable plain text, then assume the whole world has it.

2) Given enough time every form of security out there will be hacked. Time is the only factor of consequence when it comes to public key cryptography and hashes. Now, if you use the one-time pad methodology and you only enter in the encrypted form and it's only decrypted after being extracted from the computer (via printing, for example), then you should be safe. This is, of course, fairly time consuming so few do it, but that's the only way to guarantee 100% security.

Just tested that rednoize link and only the first hash shown here was reverse engineered, so it's definitely a dictionary site:

PHP Code:

<?php
echo sha1('happy')."<br />";
//3978d009748ef54ad6ef7bf851bd55491b1fe6bb

echo sha1('happydude')."<br />";
//c140d1f17123ed067a5db692eaeaaf0a2be7a693

echo sha1('happy2dude')."<br />";
//c2f3171dbe5c11aef84598491fb39ad72a0f9bfc
?>

Absolutely those sites are just data dictionaries (I believe they're called 'rainbow tables'). 9 times out of 10, so long as you use a salt, the thing is fairly safe.

I think you'll find going forward that the bigger problem will be hash collisions. There is already code out there for finding MD5 collisions (though I don't know how long they take) so that's something else to worry about, too...