How are Crypt and Salt safer than MD5 against brute force attacks?

Question

How are Crypt and Salt safer than MD5 against brute force attacks?

I read on PHP.net that MD5 is useless and they suggest using crypt + salt.

So, I went to the description of their functions and read

<?php
$password = crypt('mypassword'); // let the salt be automatically generated

/* You should pass the entire results of crypt() as the salt for comparing a
   password, to avoid problems when different hashing algorithms are used. (As
   it says above, standard DES-based password hashing uses a 2-character salt,
   but MD5-based hashing uses 12.) */
if (crypt($user_input, $password) == $password) {
   echo "Password verified!";
}
?>

or in my case something like:

$stored_password=fetch_password($user);
if (crypt($_REQUEST['password'],$stored_password)===$stored_password) {
// ok
}

So, when I see that the salt is stored in a hashed password and that you use this hashed password as a salt, I think that Crypt + Salt is no more secure against brute force output (hackers who managed to steal the hashed passwords). Is it safer?

Against a dictionary attack, I can understand its strength, but for a brute force attack on hashed passwords, I see no advantage.

+5

php crypt md5

user1117862 Dec 27 '11 at 15:45

source share

3 answers

( ) , . - . , . .

MD5 - .

+2

Zar 27 . '11 15:49

-, .

( ).

.

0

MrGlass Dec 27 '11 at 15:52

source share

Eugen Rieck · Accepted Answer · 2011-12-27T15:54:59+0000

Crypt with hash MD5. , .

MD5 MD5 PLUS, MD5 .

, , PLUS crypt , MD5

(google bcrypt), , .

How are Crypt and Salt safer than MD5 against brute force attacks?

More articles: