![]() Lucee also has a similar argument called numIterations which defaults to 1 and allows you to specify the number of iterations you would like to perform. Also from Adobe ColdFusion (ACF) 7 there is an additional argument called additionalIterations which allows you to tell it to perform additional iterations on the hash. This function also has an algorithm argument that allows the use of SHA, SHA-256, SHA-384 & SHA-512 as well. ![]() So, if you are using the hash() function in your CFML application to hash passwords to store in a database, you are probably using MD5, for example, hash(password), as MD5 is the default used by this function. Some people think that they are getting around this by performing the hash multiple times ( key stretching) or by adding a salt, however, neither of these really help due to the collision issue. millions per second on consumer hardware, it is relatively “cheap” to find a password that would work. Due to this, if an attacker has accessed your database and retrieved the hashes you have stored, they do not need to find the actual password to create the same hash, they just need to find a string that produces the same hash and they would be able to use that as the password and as MD5 hashes can be calculated relatively “cheaply”, e.g. ![]() It also suffers from extensive collisions making it particularly vulnerable to collision attacks where two or more different inputs can produce the same hash. MD5 hashing is particularly quick to compute, for example, an NVIDIA GeForce 8800 Ultra GPU can calculate more than 200 million MD5 hashes per second. What is wrong with MD5 hashing?įundamentally, there is nothing particularly wrong with MD5 hashing, for none cryptographic uses, like for checksums to verify data integrity, however, it suffers from extensive vulnerabilities for cryptographic uses. ![]() There are also additional methods that you can employ to improve the “crackability” of your stored passwords even further. There are many different types of hashing from MD5 to Argon2 (at the time of writing) and lots in between, however, some, like MD5 are a lot less “crackable than others, like Argon2, which won the most recent Password Hash Competition. What is hashing?īy hashing the password, you are not storing the original password, only a calculated representation of the password, that given you know certain information about how the hash of the password was created, you can recreate the same hash from the password and compare the stored version to the newly hashed version for verification. As we all know, or at least should know, if you are storing passwords in a database, they should only ever be stored as hashes and NEVER as plain text or using reversible encryption. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |