Welcome to WebmasterWorld Guest from 54.205.0.26

Forum Moderators: open

Message Too Old, No Replies

sha512

sha512

     
4:54 pm on Sep 8, 2012 (gmt 0)

Junior Member from US 

5+ Year Member

joined:Feb 11, 2010
posts: 96
votes: 0


Am curious, if I were to use sha512 to encrypt an email address or password, how hard is it to decrypt(I'm talking about malicious people)?
Not concerned about decrypting in the script as the input is compared with the info in the database which is also encrypted using sha512 but only curious about outsiders stealing email addresses mainly.
Thanx
7:52 am on Sept 9, 2012 (gmt 0)

Senior Member

WebmasterWorld Senior Member swa66 is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Aug 7, 2003
posts:4783
votes: 0


sha-512 is a hash algorithm from the sha-2 family.

In a head-on brute force attack (which nobody will try) the hash is 2^256 times stronger than sha-256 (that's a lot).
But it shares all weaknesses with the other SHA-2 family members.

What I would do:
- sha-256 is really good enough for now - be ready to move to sha-3 once it is chosen
- by all means add a long salt - storing password hashes that are unsalted is almost criminal as it exposes you to rainbow table attacks.

You seem to send the hash of a password over the wire ? You do realize that any eavesdropper along the way now has the hash of the password and that that's plenty to get authenticated without knowing the password itself.

I'd stick to standard mechanisms intead of trying to build your own solution out of building blocks - in crypto you fail instantly if you try to do that.
4:07 am on Sept 10, 2012 (gmt 0)

Junior Member from US 

5+ Year Member

joined:Feb 11, 2010
posts: 96
votes: 0


I sure feel like a Bozo having asked that question--not a matter of "what was I thinking" but purely a case of not thinking. Appears I'm going to have to resort to SSL if I want to protect passwords.
7:06 am on Sept 10, 2012 (gmt 0)

Senior Member

WebmasterWorld Senior Member swa66 is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Aug 7, 2003
posts:4783
votes: 0


Actually: don't feel bad, you'd be amazed how many actually deployed and installed systems out there contain basic errors.

It doesn't help that almost every example in almost every tutorial makes bad choices security wise. We're setting up the world for failure that way...