For SuperWaffle/Dave or Linear<3

[Prostidude]

My class is learning Hash codes now

Can you give me a brief detailed on what it is,And how it is use?

[Dave]

What kind of hashes?
Encrypted strings?

[Prostidude]

yea,the ones that'll hide passwords

[Dave]

Encryption algorithms are functions to convert a string to an unreadable string.
The most used encryption technique for passwords is MD5, however I don't recommend you that one since it's easily brute-forcable and certain sites got a database with millions of decrypted hashes.

In PHP you can convert a string to an unreadable string by doing something like:

PHP Code:

// MD5
echo md5("password");

// SHA1
echo sha1("password");

// SHA512, we use the PHP function "hash" for this.
echo hash("sha512", "password"); 


When you're storing passwords, it's also important to add a "salt" to it. This makes it even harder for dictionary brute-force attacks to decrypt the hashes.

PHP Code:

$salt = "EOIRJTO23049";
echo sha1("password" . $salt); 


[Yoda]

Encryption algorithms are functions to convert a string to an unreadable string.
The most used encryption technique for passwords is MD5, however I don't recommend you that one since it's easily brute-forcable and certain sites got a database with millions of decrypted hashes.

In PHP you can convert a string to an unreadable string by doing something like:

PHP Code:

// MD5
echo md5("password");

// SHA1
echo sha1("password");

// SHA512, we use the PHP function "hash" for this.
echo hash("sha512", "password"); 


When you're storing passwords, it's also important to add a "salt" to it. This makes it even harder for dictionary brute-force attacks to decrypt the hashes.

PHP Code:

$salt = "EOIRJTO23049";
echo sha1("password" . $salt); 


If you know the algorithm used for the encryption, i.e md5(md5($password . $salt)) (vB's one) it makes no difference whatsoever whether there is a salt or not, obviously if you have the password hash I am assuming you have access to the salt too. (SELECT salt from users WHERE user='$username').

Seeing that a BF attack works by using all possibilities within the parameters you give ie (max length: 6, alphanumeric no symbols, etc) so 6 max and alphanumeric would be 6 ^ 35 different possibilities. And what the bruteforce software or script will do is do a loop through all those possibilities.
In essence this is what it will do:

PHP Code:

$salt = "qiu31u2i3u123uijasdasd";
$hash = "c20ad4d76fe97759aa27a0c99bff6710";
$array_with_possibilities = array (); // just putting this here so it can be understood, lets imagine the array with all possiblities has already been created, eventhough creating such a big array is not a good idea in php

while(count($array_with_possibilities) > $counter){
$current_hash = md5(md5($array_with_possibilities[$counter] . $salt);
if($current_hash == $hash){
die("Password found: {$array_with_possibilities[$counter]}");
}
$counter ++;
} 


Didn't write this on an IDE so don't mind any syntax mistakes

As for MD5 being easier bruteforced than the others, not true, seeing you are not reverse engineering the algorithm itself but creating all possibilities until you hit the correct one, which can be done with any of the other algorithms you suggested.

[Dave]

I meant MD5 hashes are faster to brute force than SHA512 hashes.
Let's use this tool as example: http://www.insidepro.com/eng/egb.shtml
MD5: 420 million p/s
SHA-512: 12.5 million p/s

It also depends on the length of the string which you encrypted of course.

[Prostidude]

Ok,I got you 2 Understanding but like for example

"string hash ( string $algo , string $data [, bool $raw_output = false ] )" iS that already a has value?

[Yoda]

I meant MD5 hashes are faster to brute force than SHA512 hashes.
Let's use this tool as example: http://www.insidepro.com/eng/egb.shtml
MD5: 420 million p/s
SHA-512: 12.5 million p/s

It also depends on the length of the string which you encrypted of course.

Now, that makes a lot more of sense.