Discussion in 'Spigot Discussion' started by TheKnight, Jun 5, 2015.

  1. I have stumbled upon a plugin LoginSecurity and I it offers different encryptions for storing passwords.
    List: BCRYPT, MD5, SHA, SHA-1, SHA-256, SHA-512, PHPBB3
    My question would be, which one is the best in terms of speed?
  2. "MD5, SHA, SHA-1, SHA-256, SHA-512",
    Those aren't encryptions, they're hashing methods. I think BCrypt is also a hashing method but never used it, never heard of PHPBB3. From my knowledge, in terms of security the hashes rate (first being best): SHA-512, SHA-256, SHA-1, SHA, MD5. In terms of speed to hash (there is literally a few milliseconds difference, and again, first = best): MD5, SHA, SHA-1, SHA-256, SHA-512. It's advised to use SHA-512 for maximum security.

    Now incase anyone is wondering about the security, there are currently rainbow tables for all types of hashing methods, however you should be using a salt anyways or running the hash multiple times to ensure safety. Another thing is that MD5 (and possibly SHA[-1]) has apparently been cracked so that they can be reversed.

    EDIT: I don't even think encryption is used for data storage, but more for communication.
    EDIT 2: About the speed thing, this is because the more secure the hash and the hashing method uses a lot more ways to make the string as irreversible as possible. The newer hashing methods use a lot of methods to achieve this and may take slightly longer to complete a hash. Again, this is a tiny number of milliseconds in computing.
    • Like Like x 1
    • Agree Agree x 1
    • Informative Informative x 1
  3. For a minecraft server does the security matter?
  4. Not really. As they have to bypass other stuff.
    Mojang Auth (unless cracked)
    General Smartness (Not alot do :p)
    Basic MD5 and maybe two md5's is enough.
    • Optimistic Optimistic x 1
  5. Tux


    @nfell2009 is utterly wrong in suggesting SHA-256.

    MD5, SHA, SHA-1, SHA-256, SHA-512 are hashing algorithms. The plugin may not implement proper security for these (such as salting and multiple rounds).

    The most secure one out of these is BCRYPT, which is a strong password hashing algorithm that is difficult to crack when configured with a reasonable amount of rounds (i.e. 10) and with a non-buggy library. It is used by most PHP applications to hash passwords, as a matter of fact. (Although I dislike PHP with a passion, this is one thing I do give them credit for.)
  6. Tux


    MD5 is laughably insecure
    • Agree Agree x 1
  7. It's advised for maximum security, along with a salt and multiple rounds. I never said I personally advised it say over, a salted/multi sha1/256.
    • Like Like x 1
  8. Care to give me the reverse algorithm for me to un-MD5?
  9. Computers are now able to easily unhash the string (some easier than others), and there are billions of entries in rainbow tables on multiple sites that make MD5 pretty much useless in this day and age. Even the creator of MD5 suggests to change to a stronger hashing algorithm: http://phk.freebsd.dk/sagas/md5crypt_eol.html?highlight=md5
    • Like Like x 1