MD5 Authentication

Phoenix Forum Questions / Help
,
1

I am currently in need of an authentication page.
I need to authenticate with a user, which exists in the database

Ex:
In my database I have the following user created.

| id | name | password | email | dashboard | profile_id | created | updated

| 1 | admin | 827ccb0eea8a706c4c34a16891f84e7b | test@mymail.com | ----- | 1 | 2017-01-04 17:11:12 | 2019-04-29 17:55:58

Note: to obtain this password, I would use the following command in the elixir:

:crypto.hash(:md5, "12345") |> Base.encode16(case: :lower)

I need to create an authentication page that queries this password and sends it to another page.

Someone would have some example project to show me, how would it look?

I needed to know what it would look like on the controller.

2

You do not want to use MD5 to hash your password, especially not without a salt.

You should take a look at comeonin, you can use it with one of 3 hashing algorithms.

6 Likes
4

I thought there would be some way, anyway thank you

5

i prefer to use Argon2 (https://password-hashing.net/ winner) instead of Bcrypt or even MD5

iex> hash = Argon2.hash_pwd_salt("password")
iex> Argon2.verify_pass("password", hash)
...> true

i don’t know if this related or not (without database/ecto) :

6

TBH I still wait for Argon2 to become a little older. While bcrypt has its downsides it is older, much older, and in crypto world it is good thing. Bcrypt right now is still the safest choice IMHO.

2 Likes
7

The people replying here are right, don’t use MD5. However, is this for an existing database? In that case, users should be required to change their password when signing in, where you then use a better hashing algorithm.

As for argon2 vs bcrypt (will be somewhat off topic discussion):

NIST and RFC recommends PBKDF2-HMAC-SHA256 or PBKDF2-HMAC-SHA512, and this is required for FIPS certification (I chose it as the default for Pow). Argon2 and bcrypt are better, but it’ll probably be a while before either of them will be recommended by NIST or RFC. It also seems that NIST believes storing the password hash is ultimately a doomed model no matter the hashing algorithm, but all this isn’t really that relevant for almost all apps we’re building :grin:

Here in 2019, Argon2 would be my first choice going forward (best is to have Argon2id). Bcrypt has a lot more battle experience, but is not memory hardened. If you want to follow official guidelines, or require certification then you should go with PBKDF2, but GPU/ASIC/FPGA makes cracking these hashes trivial (still this threat model is much, much better to have than MD5).

Here’s a blog post going more in-depth for anyone interested: https://medium.com/@harwoeck/password-and-credential-management-in-2018-56f43669d588

4 Likes
8

scrypt is even better protected than bcrypt against brute force, if memory serves.

1 Like