Is it worth to MD5 each letter of a password?

Greetings,

I'm currently working on a project which involves a login system which is aiming to be as secure as possible for the set-up.

What I'm asking is, would it be worth it t开发者_JAVA百科o MD5 each element in a char array (obtained from a Password field), by which you add a salt to each char element to be hashed with MD5, upon completing that, add all the hashes from each character, and then add a separate salt to that, and MD5 it again?

Is this actually secure, or just overkill?

Not secure at all, as the key space is only 255. Adding a salt to each letter would achieve nothing more than adding the same salt to the whole string, and could possibly reduce the entropy of the hash rather than increasing it.

The correct solution is to use a proper password hashing algorithm (like bcrypt, scrypt or pbkdf2) and avoid making up your own algorithms.

MD5 (and SHA-1, SHA-2, etc.) are so fast it is very easy to brute-force passwords anyway.

Edit

And today we see a wonderful example of why: iPhone hacker publishes secret Sony PlayStation 3 key

However, Sony wrote their own signing software, which used a constant number for each signature.

Probably better would be to use a more current hashing algorithm like SHA-1/SHA-2. There are known vulnerabilities in MD5 (and even the more modern SHA-1 has some).

Doesn't sound like a very good idea to me, neither does using MD5. Use a modern SHA algorithm instead (like SHA256).

MD5 is flawed:

http://www.kb.cert.org/vuls/id/836068

It seems that with your proposal you will only increase the security by O(n+1), where n is the password length, which is not enough.

Instead of doing all this mess you should choose another hash algorithm, like SHA-256 ou SHA-512, that are much more secure.

That wouldn't really be any more secure.

A much more important choice is to use something other than MD5 for this kind of hashing. MD5 are insanely fast to bruteforce (especially on massively parallel hardware, such as graphics cards) and as such easy to crack (at least for single passwords).

If you use something more complex like SHA-512, you'll add much more security.

No - that won't make it more secure at all. If you want it more secure then use a better hashing algorithm, like SHA1.

If you want to be as secure as possible you should use some different hash algorithm, md5 is known to have some collision attacks.

Have a look at http://en.wikipedia.org/wiki/Comparison_of_cryptographic_hash_functions

Is it worth to MD5 each letter of a password?

That would make the password LESS secure. To brute force crack a complete password you need to try every combination of every letter (or have a good dictionary) If you encrypt one letter at a time, you would only have to attempt to crack one letter at a time (which is trival)

I'm currently working on a project which involves a login system which is aiming to be as secure as possible for the set-up.

That is a big task. Most people who hack into a system have inside knowledge, such as former employees. I would suggest you be realistic at what lengths you are will to go to ensure security.

Tomb workers for the Pharaohs would entomb as well to ensure none of them would tell the location of the tomb, and yet AFAIK only one tomb was ever found intact. ;)

You could try Seeded SHA to increase security.

A better hash algorithm and a good salt would be a good start. Once a hacker knows you put single characters in a hash than it is piss easy to decrypt. Rainbow tables for single characters can be generated within seconds ;).

SHA-512 might be a good alternative for a has algorithm. And don't generate a hash from the password only. Use a salt aswell. This way you can store passwords pretty safe.

If your passwords need to be send from one application (client) to another (server) than it is probably even more important to use a secure protocol for communication.