No. MD5 is not encryption (though it may be used as part of some encryption algorithms), it is a one way hash function. Much of the original data is actually “lost” as part of the transformation. Think about this: An MD5 is always 128 bits long. That means that there are 2128 possible MD5 hashes. … Read more
The point of rainbow tables is that they’re created in advance and distributed en masse to save calculation time for others – it takes just as long to generate rainbow tables on the fly as it would to just crack the password+salt combination directly (since effectively what’s being done when generating rainbow tables is pre-running … Read more
Update: Simply using a hash function is not strong enough for storing passwords. You should read the answer from Gilles on this thread for a more detailed explanation. For passwords, use a key-strengthening hash algorithm like Bcrypt or Argon2i. For example, in PHP, use the password_hash() function, which uses Bcrypt by default. $hash = password_hash(“rasmuslerdorf”, … Read more
I had a similar issue, and found I was simply missing a dependency (libssl-dev, for me). As referenced in https://cryptography.io/en/latest/installation/, ensure that all dependencies are met: On Windows If you’re on Windows you’ll need to make sure you have OpenSSL installed. There are pre-compiled binaries available. If your installation is in an unusual location set … Read more
Hashing a password once is insecure No, multiple hashes are not less secure; they are an essential part of secure password use. Iterating the hash increases the time it takes for an attacker to try each password in their list of candidates. You can easily increase the time it takes to attack a password from … Read more
For old-school CD keys, it was just a matter of making up an algorithm for which CD keys (which could be any string) are easy to generate and easy to verify, but the ratio of valid-CD-keys to invalid-CD-keys is so small that randomly guessing CD keys is unlikely to get you a valid one. INCORRECT … Read more
Share the password (a char[]) and salt (a byte[]—8 bytes selected by a SecureRandom makes a good salt—which doesn’t need to be kept secret) with the recipient out-of-band. Then to derive a good key from this information: /* Derive the key, given password and salt. */ SecretKeyFactory factory = SecretKeyFactory.getInstance(“PBKDF2WithHmacSHA256”); KeySpec spec = new PBEKeySpec(password, … Read more
Well, you could look it up in Wikipedia… But since you want an explanation, I’ll do my best here: Hash Functions They provide a mapping between an arbitrary length input, and a (usually) fixed length (or smaller length) output. It can be anything from a simple crc32, to a full blown cryptographic hash function such … Read more
EDIT 2013-Oct: Although I’ve edited this answer over time to address shortcomings, please see jbtule’s answer for a more robust, informed solution. https://stackoverflow.com/a/10366194/188474 Original Answer: Here’s a working example derived from the “RijndaelManaged Class” documentation and the MCTS Training Kit. EDIT 2012-April: This answer was edited to pre-pend the IV per jbtule’s suggestion and as … Read more
bcrypt is a hashing algorithm which is scalable with hardware (via a configurable number of rounds). Its slowness and multiple rounds ensures that an attacker must deploy massive funds and hardware to be able to crack your passwords. Add to that per-password salts (bcrypt REQUIRES salts) and you can be sure that an attack is … Read more