Security hashes are an essential for keeping your user’s passwords and other sensitive information safe. Given that MD5, SHA and Whirlpool encryption are all available to web developers without charge in some way shape or form, this discussion isn’t a review per se, rather, it’s an examination of one-way encryption methods and what makes one stronger than the other.
The answer is actually very simple: the more bits a hash contains, the more secure. MD5 is a 128-bit string, SHA-1 is a 160-bit string and Whirlpool is a 512-bit string. Based on this alone, Whirlpool is clearly superior to both SHA-1 and MD5. Here are some reasons why:
None of these encryption methods are crackable. That is, no one has been known to be able to decrypt a hash and convert it back into a string. The way a MD5, SHA or Whirlpool encryption works is by taking a string and then converting it into a hash. Then, to check the validity of a password, the system takes the user-inputted password and turns it into a hash. If the two hashes match, then it can be assumed that the password entered was correct—all without the system ever having to “reverse engineer” the hashed string. In this way, even a systems administrator won’t know its own users passwords and still be able to manage a user base.
Encrypted hashes are susceptible to brute force attacks. This is when a hacker takes a known hashed string and then systematically tries to guess the password until it finds a string that matches the hashed string. Hashed password strings can be lifted from cookies or by hacking into databases. Also, for sites without protections against repeated automated login attempts, brute force can be done directly on the web without getting a hashed string.
This is where MD5 becomes problematic. A collision occurs when two or more strings create the same hash. This vastly increases the chances that a hacker can successfully find a password that will give them access to a system. MD5 has fewer bits, so the chances of a collision are greater. In fact, hackers have compiled rainbow tables to help them hack MD5 tables by referencing known matches.
No Hash is 100% Secure
The fact of the matter is that it’s just a matter of time before someone guesses a password using brute force. With automated programs and high end hardware, a brute force program can run thousands of random strings in minutes. A longer hash just means that it takes a hacker longer to guess your password—granted, it may take months or years to do so, but it still can be done.
All of the above hashing methods are best used when combined with a salt. A salt can be added to an MD5, SHA or Whirlpool string. A salt is a common practice where a system adds a string to a password prior to encryption. With this method, it’s nearly impossible for a hacker to brute force a password without first knowing the salt. To make a salt even more secure, you can generate a unique salt for each user, rather than using a system-wide salt.
Using a Whirlpool encryption might be overkill—especially since managing a 512-bit string is a little bit ungainly. Instead, you should use a salt, regardless of what you use for encryption. Unless someone views your source code, they won’t be able to hack your user passwords via brute force.