views:

105

answers:

5

Im making a website that will intergrate with game that only support md5 hashing metod (atm). Which ofc is not especially safe anymore. But how could i make it stronger? Should I just generate long strings of random letters and numbers and hash them? But then the users have to save the password on a paper/txt file in computer.

What do you suggest?

+2  A: 

The weaknesses of md5 are a little over-hyped, but you can just use sha512 instead. It's a better hashing algorithm.

Ken
+5  A: 

What is wrong with an md5 hash for what you are doing? Throwing more random characters at it won't make much difference.

You can take a look at SHA hashes for an alternative to md5.

Bartek
Also avoid using the default seed. It will take a lot longer to crack if they can't use/reduce the effectiveness of rainbow tables.
envalid
OP said the ATM device only supports MD5.
Loadmaster
@Loadmaster I can't tell if you're being sarcastic but I'm pretty sure atm stood for "at the moment" .. :)
Bartek
No sarcasm intended, I just misread it.
Loadmaster
+2  A: 

While MD5 isn't the best hashing algorithm out there due to its weaknesses, it all depends on exactly what you're doing. If it's your only option and you want to hash passwords before storing them in the database, by all means do so.

You said that MD5 is your only option "at the moment". Does this mean you might have other hash algorithms available later? Consider using MD5 for now but leave yourself an upgrade path to use other algorithms.

You may want to consider using a salt in conjunction with MD5. This will help defend against some attacks (e.g., rainbow tables).

Jeff
+2  A: 

If it's for passwords hashing, consider using salted hash instead of just brute hashing the password. See Wikipedia

If the password are user chosen, consider having a password strength indicator and also prevent them to use too easy one. One good thing is to check they are at least two of either upper/lower/numbers and run them through cracklib and if they fail that, refuse to set the password.

Other than that you're pretty much OK.

246tNt
+2  A: 

What exactly do you hash and how you use the hash?

Are you refering by any chance to storing account passwords for authentication with the site? The weackness of password hashing are caused by using the hash (any hash) in a wrong manner, not by inherent hashing algorithm weakness. Nobody is going to brute force your MD5 hash, the problem will be dictionary attacks agains known hash values (rainbow tables). And the protection is to use an HMAC hash, or something similar, like a 'salted' hash.

I'm afraid you're on the wrong track if you consider that using a different hashing algorithm will give you any benefit. While is true that SHA1 or SHA256 have stronger cryptographic attribute and will stand a brute force attack for longer time, even the stronges hash will be useless if incorrectly used. On the other hand MD5 will work just fine when used properly.

Remus Rusanu