1

I try to encrypt password using MD5 but there are decoders for MD5. So I'm worried about encryption of password for big website.

Is there any logical suggestion or step function to generate strong password?

Andrei Botalov
  • 5,397
  • 11
  • 49
  • 74
viyancs
  • 141
  • 6
  • The simple solution is don't use MD5 use bcrypt. MD5 isn't encryption, you seem confused by this fact, you might want to research the proper way to store a password hash. – Ramhound Aug 01 '12 at 15:48

3 Answers3

2

I can't understand what you are asking, but has been asked many times here. If you want to know how you should store your passwords; a modern strong keystrengthened cryptographic hash like bcrypt is ideal; at worst use something like sha256/sha512 with a random salt (different for each account) stored with the password. This has been covered in many threads here.

As for how to think of a strong password, random passphrases are great, and diceware is an easy way to come up with one. Also 10+ character long passwords with mix of uppercase/lowercase/numbers/symbols are sufficiently strong. If you use many unique passwords (always a good idea) its helpful to use tools like keepassx to keep an encrypted list of your passwords associated with each site.

Remember never re-use passwords at multiple sites. E.g., if you use the same password at your bank as some random webapp, you have no assurance t hat the random webapp isn't storing your password in plaintext (or near equivalent) and some admin/hacker there will someday try to use that password with other information (like your username) at places like your bank.

dr jimbob
  • 39,312
  • 8
  • 94
  • 164
2

Md5 is a hashing not an encryption algorithm. Normally its use is deprecated in favour if alternatives such as SHA 128 / 256. Hashed passwords are normally salted too. Try a search for troyhunt who has an excellent series of articles on this very subject.

Dominic
  • 21
  • 1
  • "SHA 128" does not exist. And recommending SHA-256 is misleading too, since even with a salt, plain (single iteration) SHA-256 sucks for password hashing. – CodesInChaos Aug 01 '12 at 11:22
1

Generate a cryptographically secure random password, hash it and store it alongside a salt. A hash function is designed to be one way, that is, you shouldn't be able to uncover the original plain string from a hash. A salt does not need to be unique or secret and is used to prevent certain types of attacks (such as dictionary attacks).

secret = H ( password || salt )

Where H is a hash function such as, sha512, BCrypt; password is the plain text secret not stored by the system but known by the user; and || is concatenation.

You then store the secret and salt alongside each other.

BazzaWalter
  • 11
  • 1