Is it a good idea to md5 hash my password for extra security before putting it into a website?
Like say my password for ebay is "monkey777829". If I md5 hash it becomes longer but I still only have to remember monkey777829.
Is that more secure from cyber crackers?
are you some kind of moron?
You are literally retarded
No.
Im just gonna keep this short and sweet:
no. unles your password is made up of dumb keywords like "password," "123," "year number,' exc. exc. password length determines the effectiveness of crackers.
that said, the absolute best alternative is to create a long string of random things that is easy for you to remember.
while monkey777829, i personally, find to be an acceptable password,
a better alternative, and one that is virtually inpregnible to all except social engineering, would be something along the lines of
"MonkeyBaseballBlueberryAnaconda28."
just memorize concepts instead of random letters, and you can memorize super long passwords easily.
>Like say my password for ebay is "monkey777829". If I md5 hash it becomes longer but I still only have to remember monkey777829.
dunno, this seems as a valid idea. you can be safe from dictionary and bruteforce attacks and keep using your supersimple password for convinience.
however, it does not beat password manager nor passphrases...
You guys are all idiots.
Yes op, it would be more secure. If passwords are stored plaintext its not a great improvement because md5 is easy to crack, but it will prevent skids from finding your password who use those leaked db search sites, so use a better hash algo to prevent it being found at all. If passwords are stored hashed then the attacker might try to crack them, in which case your double hash would prevent it being found, because two hashes doesnt match the cracking scheme they will be using for the entire db.
Technically yes, but really, no.
Salt it per site for added security.
The real problem these days isn't the strength of your password per se. It's that people reuse their usernames and passwords across multiple sites.
The strongest password in the world won't protect you if a site is retarded enough to store its passwords as plaintext. And when that site inevitably gets breached you can be damn sure that hackers are gonna build up a database linking usernames to their passwords, giving them access to every other site you use as well.
Conversely, this is one of the bigger strengths of password managers. Let the manager generate a new password for you each time, and you get to reuse one master password that won't be easily stolen unless you're retarded.
tl;dr use a password manager instead of trying to roll your own crypto
What about english words in cyrillic or slavic words in latin? Is that easy to brute force?
This.
Although I think you could also use a single (big) salt for all your passwords.
And then use small easy to remember phrases to generate the passwords (hashes).
For example you remember "f83kn2p9w8vy3is1" ONCE.
And then for each unique password you remember something simple like "facebook" for you facebook password, "google" for your google password, etc.
Ignore him, he's a retard.
Passwords are generally cracked through dictionary attacks, not by brute forcing them.
So, again, good or bad?
use bcrypt instead of md5
bad
Fuck me
no its only secure if you use an AES hash
this is the most reddit post ive ever seen on this website
just turn on 2fa if you're going to go through all that trouble.
fuck me in the anus
No.
No, you're an idiot.
This is a good passphrase, according to latest NIST recommendation.
>pages.nist.gov
>schneier.com
>nakedsecurity.sophos.com
Most 2FA are deprecated. The way the "additional factor" is delivered, e.g. via SMS, is even more problematic. Tokens may or may not be ok, e.g. FreeOTP vs Google Authenticator; sadly most users won't be bothered to just get a Yubico v3 or a Nitrokey
So double hash doesn't increase security, explain
Your password can be still phished, stolen via an evil browser addon, MITMed or sniffed from between the HTTP SSL frontend and the application server.
Hashing it only makes it impossible to crack it with automated tools if the database is leaked, which can be defeated more easily by just using strong passwords.
He's going to say that you could create a lookup table for the double hashes, but he's an idiot since nobody knows a priori that your password was double hashed.
Not many sitessupport U2F anyway. Even then they usually require using SMS as a spare second factor, making you as insecure as with SMS, anyway.
Every few months I generate a random typeable 12 character password with an additional 12 characters for special cases (disc encryption). I normally just use the previous password for the next 'tier' of accounts (old bank)->(logins) etc.
Don't know if this is an adequate schema or not.
No, it doesn't.
No, you're an idiot. The "hashed" value IS the password.
It's not.
Yes it will be more secure, just cause its longer.
Maybe if you used a hashing algorithm that had less collisions.
if someone hacks the site , they can just reverse the hash. It doesnt fix the problem
>2020
>not using a password manager
>ishygddt
passwordstore.org
here, you have a gpg key combined with your password that will store random generated passwords in this db.
Hashs are not reversible.
You can however pre compute a table of it and then look for the matching.
I tried this but its really incovenient. Some site have other requirements than others, like for example a special character. You would have to memorise that as well and it becomes a big mess.
In the end, a password manager with a strong master password is probably best.
just use a better password you nigger, that will be a pain the ass to do every time. Are you an idiot? He's talking about using the hash as a password which will then be hashed again. And the entire point of hashes is that they are one way and can't be reversed, only guessed with cracking software
I think a good salt for your passwords is to cypher the alphabet before you type in a password, and change the cypher keyword for each password you need.
for example,
abcdefghijklmnopqrstuvwxyz, &
goleabcdfhijkmnpqrstuvwxyz for google.
128bits [:alnum:]? thanks but no thanks
if someone hacks the site, and the passwords are in plaintext, they can use the md5 hash directly, since the md5sum is the password itself. longer passwords protect only if the "leaked db" has been securely salted+hashed itself. An attacker has NO reason and no interests in discovering the "seed" (.....) "monkey777829"
>and the passwords are in plaintext
what kind of retarded website stores passwords in plaintext? why on earth would you use a website that is doing that? Ebay is not storing passwords in plaintext
He actually does have a point.
Does it add any cryptographic entropy? No, of course not.
Does it make your account less likely to be hacked? Hell yes.
If passwords are hashed in the database, your MD5 password is way harder to bruteforce than monkey777829 -- especially if the hacker doesn't already know your password is an MD5 hash. Say they DON'T know it's an MD5, which is the case -- you have a 32 character alphanumeric password, and even if they correctly guess it's all lowercase plus numbers and that it's exactly 32 characters, that's 36^32 possibilities, which is basically unguessable. Say they know it's an MD5 of a simple string -- you're still adding a computational step, an extra hash, to each guess they do, so you're doubling the time it takes to guess -- but realistically they're going to go for the low hanging fruit, not write custom code to hack your password.
...Furthermore, you can use this as a poor man's Keepass. For each site's password, put your password, append ## and the site's name, and MD5 it. You now have a unique 32 char alphanumeric password, different for each site, and just 1 master password and process to remember.
The downside is that if you want to change your master password, you have to change each site's password, and if you want to change a site's password, you have to change your master password.
So really, just use a password manager.
Not everyone is ebay, and not every webdev adopts sounds security practices as far as user's data are concerned.
Oh in that sense, yes. the hashed value is indeed stronger against brute forces (but who the fuck use bruteforcing nowdays when your ip gets locked after 3 failed attempts?). However if you use a unique hash algorithm for every site all you need to remember is the password monkey7777829. So if a hacker gets the hashed password he will just get that hashed value that is completely useless since he did not use that password on other sites.
>who the fuck use bruteforcing nowdays when your ip gets locked after 3 failed attempts?
someone who has the leaked db.
After reading this thread are some of you fucking dumb?
First, if you use a basic bitch password that isn't at-least 16 characters with mixed case alphanumeric shit with symbols, you're a faggot. The bump from going to 16 characters to 32 characters in terms of password strength doesn't matter because there aren't any 16 character tables, let alone 15, 14 13 or even 12.
Next, it is indeed a quick shortcut way if you are too stupid to think of a real password, example:
hurr is a 4 character password and stupid easy to crack, passing it through md5 gives you
e17d33067c6e2a1314cca57311b5ec0e
which is impossible to remember but as long as you can remember hurr and to md5 it you're good. You could just as well use sha512 and have an even longer password. The real redpill is just using passwords that are good
Thisdeadendwebsitecontinues2occupytiem4me:(
which is really easy to remember.
I use hashes as my password, sha256 not md5, but I have a salt which I concatenate to my password then hash that then map results to a list of allowed characters.
Don't just get the hex of an md5 because then the only characters in your password will be [0-9a-f].
>just reverse the hash
hurr
>Don't just get the hex of an md5 because then the only characters in your password will be [0-9a-f].
which only matters if the person cracking it knows this, in which case they'd be better off hashing normal cracking methods
>Don't just get the hex of an md5 because then the only characters in your password will be [0-9a-f].
The encoding of the underlying data does not change the amount of entropy in a password
I was thinking of doing something similar to OP except my idea was
>to find a hashing algorithm with much larger outputs, say 128 characterers
>out of that long keystring memorize the location of the beginning of my password, and the numbers of characters that make it up from the beginning
Is this a good idea or not? Id have a truly long and random password, since im picking only a part of the chain and I only have to memorize the initial phrase and locations of beginning and end.
If I'm understanding your idea right, what you'd basically have at that point is a password card, which isn't a bad idea. I use one of these to store the master password of my password manager.
Yeah pretty much, I'd use only for the highest security needed ones, possibly printed on paper but again only me knowing where it starts and ends, and maybe a few extra characters thrown it that again only I'd know where they're inserted. I'd only have to memorize the initial keyphrase to be hashed and beginnings-ends, and then could even reuse said positions with a different keyphrase.
read about argon2 and use that instead of a simple hashing function. use at least 1000 iterations.
Just use a password that is 10 or more random characters with symbols, numbers, upper and lower case. No once is even going to bother trying to crack that hash with current computing power.
How would you know? Adobe didnt hash those 150 million accounts.
This is true jesus. Taking the hash of your current password will give you a longer password which is more secure. IT DOESNT MATTER IF THE HASH YOU USE IS CRACKED. If hackers ever get the password hash table it's IMPOSSIBLE they have the hash of the md5 hash of "monkeyfag9138r7324" ffs
>monkey777829
thats trivial with totays hash rates,consider using special signs.
>not using KeePass