Is Adler32 easy to decrypt and why?

Question

I heard that we shouldn't rely on Adler32 and I want to ask why.

Why shouldn't we trust Adler32 to hash ? Is it reversible ? Or can we just see the real text with ease ?

Answer 1

One does not "decrypt" a hash, and a hash does not hide the "real text" -- encryption, not hashing, does that. But if you mean, can Adler-32 be used as a cryptographic hash?, then absolutely not. The requirement for a cryptographic hash is that it be extremely hard, effectively impossible, for foreseeable hardware and mathematics to construct a message with a given hash. It is quite easy to do that for an Adler-32, and in fact is easy with any 32-bit hash. 32-bits is simply not enough.

Answer 2

Absolutely you can not use Adler32 for password hashing.

For short inputs substantial information can be gained from a 8-bit CRC. Typically for a cryptographic hash a one bit change in the input data 50% of the output bits will change.

It isn't designed to avoid collisions, it is a CRC. Many hash functions are designed for other purposes where collisions are not a problem such as dictionary lookups or the storage bins at a "bottle club" which just uses the last couple of digits of a membership number to achieve somewhat even distribution of bottles across storage bins.

Password security:

Just using a hash function is not sufficient and just adding a salt does little to improve the security. Instead iIterate over an HMAC with a random salt for about a 100ms duration and save the salt with the hash. Use functions such as PBKDF2, password_hash, Bcrypt and similar functions. The point is to make the attacker spend a lot of time finding passwords by brute force.

One reason why SHA-512 with a salt is not sufficient is a laptop (mine) can execute 750,000 per second, this would be applied to a list of 10,000,000 passwords sorted by frequency of usage Then there are special programs that fuzz those. Unless it is spear-fishing an attacker will probably be satisfied with 90% of the passwords cracked. So by lengthening the computer time from <2us to >100ms it takes the attacker 50,000 times as long, he will probably move on the the next site.

Protecting your users is important, please use secure password methods.

Here is why: an attacker hits your site, gets the MD5 passwords, uses brute force with a list of common passwords and has the user's username and password. Now the attacker uses this on another site to gain access to more sensitive data since most users re-use passwords. You have just helped compromise the user. Note: A decent hacker rate could be 1 billion/second. Attacker will love your site and you will not even know it was successfully attacked.