How reliable is this hash? Is it possible to get the original password knowing hash? It is possible in principle?
The reliability of the hash depends on the hash algorithm.
I think it is quite reliable protection. But how to implement it?
I also think that it is quite reliable protection from brute force password
that, in General, does not speak about the protection of everything else. How to implement the most simple variants:
a) Logs from what IP was an unsuccessful login attempt with date and time of the event in the database (or any other repository You use), while trying a password - check how many failed attempts from this IP were for the last time, if more than X you try to enter password is locked
b) same as A, but not check the IP address and the login, which logs trying
C) a Combination of paragraphs A and B
d) many other options, of which just a lot, including the use of Google captcha, recognition systems bots and also various combinations of the protection methods and all sorts of perversions, including the above-described.
Is it possible to get the original password knowing hash? It is possible in principle?
By itself, the hash is not an irreversible type of encryption, if that's the question. In other words, hash algorithms, any "decoding" does not imply a priori. But, really, there are ready tables for md5 hashes (I think for other hash algorithms, they exist too, and that You have already guessed that the table represents the original data and the result of their hash), which to some extent "decrypt" md5, you can (well, unless you take into account the fact that quite different combinations may eventually give the same hash, because the number of combinations is infinite, but the number of variations of the hash still has some finite value).
I thought to start learning cryptography to improve security and not to store the password hash, and the hash cipher password.
It remains the case for small:
1. Study (You) cryptography on a level sufficient for the realization of tasks, including writing your own cryptographic algorithms (encryption methods), as mentioned here:
Of course, we still this method of encryption come up with, but that is another question.
2. To solve the problem of safe storage of private (closed) key, which you definitely need in this case
PS Judging by the context of Your question, You are trying to create some sort of "mega-defense" in one place, losing focus of the fact that the protect form for a password and this mechanism in General (we have the same about this question?) is ~1% of the total security of the average system, and examples of this mass. For example, there is a lot of examples when large mail providers suddenly "flowed" database users, including their passwords (hashed, of course) and it was connected not with brute force (and similar acts) clearly, there are all sorts of Heartbleed
, which is "officially" suffered very large companies, for network security which was watched by the people knowledgeable in this matter much better than You I and all the other participants in this issue - together, etc... [many examples]. You seriously don't think the goal of any hacker is to find or get one password and (even if his goal is just that, all of a sudden) that this is a hacker before losing momentum "to fight a forehead about a wall" in trying to obtain this most ill-fated password by brute-force attack on the login form or something similar and unsuccessful attempts all his "hacking" on it and stop?