homepage Welcome to WebmasterWorld Guest from 54.147.196.159
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Home / Forums Index / Code, Content, and Presentation / JavaScript and AJAX
Forum Library, Charter, Moderator: open

JavaScript and AJAX Forum

    
sha512
sha512
typomaniac



 
Msg#: 4492690 posted 4:54 pm on Sep 8, 2012 (gmt 0)

Am curious, if I were to use sha512 to encrypt an email address or password, how hard is it to decrypt(I'm talking about malicious people)?
Not concerned about decrypting in the script as the input is compared with the info in the database which is also encrypted using sha512 but only curious about outsiders stealing email addresses mainly.
Thanx

 

swa66

WebmasterWorld Senior Member swa66 us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 4492690 posted 7:52 am on Sep 9, 2012 (gmt 0)

sha-512 is a hash algorithm from the sha-2 family.

In a head-on brute force attack (which nobody will try) the hash is 2^256 times stronger than sha-256 (that's a lot).
But it shares all weaknesses with the other SHA-2 family members.

What I would do:
- sha-256 is really good enough for now - be ready to move to sha-3 once it is chosen
- by all means add a long salt - storing password hashes that are unsalted is almost criminal as it exposes you to rainbow table attacks.

You seem to send the hash of a password over the wire ? You do realize that any eavesdropper along the way now has the hash of the password and that that's plenty to get authenticated without knowing the password itself.

I'd stick to standard mechanisms intead of trying to build your own solution out of building blocks - in crypto you fail instantly if you try to do that.

typomaniac



 
Msg#: 4492690 posted 4:07 am on Sep 10, 2012 (gmt 0)

I sure feel like a Bozo having asked that question--not a matter of "what was I thinking" but purely a case of not thinking. Appears I'm going to have to resort to SSL if I want to protect passwords.

swa66

WebmasterWorld Senior Member swa66 us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 4492690 posted 7:06 am on Sep 10, 2012 (gmt 0)

Actually: don't feel bad, you'd be amazed how many actually deployed and installed systems out there contain basic errors.

It doesn't help that almost every example in almost every tutorial makes bad choices security wise. We're setting up the world for failure that way...

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / JavaScript and AJAX
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved