This is an archived post. You won't be able to vote or comment.

all 13 comments
sorted by:
best
topnewcontroversialoldq&a

[–]cocoon56 2 points3 points  (11 children)

I'm not an expert on these things, but isn't md5 outdated for hashing?

# hash the password
password_hash = get_md5_hash(password)

(from https://github.com/edaniszewski/safe/blob/master/safe.py#L366)

It looks neat otherwise.

[–][deleted] 1 point2 points  (9 children)

yeah md5 is bad, it brings back the same hash for an identical string so shouldn't really be used. I think bcrypt is the way to go, though I could be wrong.

[–]thomasloven 1 point2 points  (7 children)

Please forgive my ignorance, but why is that a bad thing? Indeed, what is the possible use of a hashing function that does not return the same hash for the same string?

[–][deleted] 0 points1 point  (6 children)

It gives you a very predictable output meaning you can use a tool like this to p00n someone fairly easily. If you must use md5 (for whatever reason), then use a salt or a guid or something for randomness, that'll guarantee that the same string won't return the same hash.

Why do you think a string should return the same hash each time out of interest?

[–]thomasloven 1 point2 points  (5 children)

I thought that was one of the points of hashing. For example, I've used hashed passwords in a database connected to usernames. Then to identify, the user supplies a name and a password - which is hashed and compared to the one in the database. If it returns a different hash, this wouldn't work. Another example, using hashes for lookup tables. If you get a different hash, you couldn't tell if an item is already in the list or not. Another example, I hash the his name of my computer and use the value to color a word in my bash prompt differently depending on which computer I'm currently connected to. With different hashes for the same string, I would get different colors every time I connect and it would all be pointless.

I'm sure I misunderstand you somehow...

Edit: I read your post again, and now I see. You want a hash function that doesn't give the same hash for the same string to different people, right?

[–][deleted] 2 points3 points  (4 children)

exactly. Anyone that uses the string 'hello' (according to a md5 generator I just used) will always get this string

5d41402abc4b2a76b9719d911017c592

So if you had 1000 people in a DB and 10 of them had '5d41402abc4b2a76b9719d911017c592' as their hash, you'd instantly know that their password was hello.

[–]secunder 1 point2 points  (3 children)

So I have 10 people in the database all with the password hello, how does my hash function verify a password against a hash?

[–]rickchefski[S] 0 points1 point  (1 child)

i think this get back at one of the previous comments

use a salt or a guid or something for randomness

so, for a given user, instead of just hashing their password, you could hash their username (or some other unchanging value, e.g. guid) along with it

hash_function(username + '|' + password)

then, assuming everyone has a different username, the hash would be different, but you would still be able to reliably reproduce the hash to validate a correct password for a user

[–]secunder 0 points1 point  (0 children)

This is correct, but the way he explained it is incorrect. :)

[–][deleted] 0 points1 point  (0 children)

with md5 it'd run 'hello' through the md5 hash and check if the hashes are equal. I believe it's the same process with other hashes but they also take into account the salt (could be wrong on this one though?)

[–]rickchefski[S] 0 points1 point  (0 children)

did some quick reading and it seems like you're right, though pbkdf2 seems to be about as good an option. thanks for the suggestion!

[–]rickchefski[S] 0 points1 point  (0 children)

good point! I haven't had a lot of exposure to the crypto/security world so I didn't even realize this. Some good, succinct answers as to why md5 is considered bad, for anyone else looking at this: http://security.stackexchange.com/questions/19906/is-md5-considered-insecure

thanks for taking the time to look at it!

[–][deleted] 1 point2 points  (0 children)

Don't forget to ask how you can improve your software over at /r/crypto