[SOLVED]I almost dare not ask...
Moderator: General Moderators
Code: Select all
md5(sha1(str_rot13($passvar)));hahahah.. oh geez. Thats scary.Joe wrote:A bit more secure I would sayCode: Select all
md5(sha1(str_rot13($passvar)));
- evilmonkey
- Forum Regular
- Posts: 823
- Joined: Sun Oct 06, 2002 1:24 pm
- Location: Toronto, Canada
Dull, mdcrack works great.
So does google. Also, Joe, I doubt phpdn would be in the dictionary.
Also, I would do something like md5(md5(md5($passvar)));. That'll confuse the hell out of the sorry sucker who's using mdcrack, and the resulting string would be 32 characters, whichwould take years to crack. And you'd have to do that 3 times according to my example. Not worth it, I think.
Sorry, no matter how many times you md5 it, its going to be 32 characters.evilmonkey wrote:Also, I would do something like md5(md5(md5($passvar)));. That'll confuse the hell out of the sorry sucker who's using mdcrack, and the resulting string would be 32 characters, whichwould take years to crack. And you'd have to do that 3 times according to my example. Not worth it, I think.
Multiple runs don't make it more secure - more confusing, perhaps - but not more secure.
In fact, sha1 by design does run one portion of its algorithm multiple times to increase its strength - but not the entire algorithm. Doing so reduces the entropy space, and the randomness - which makes things less secure.
- John Cartwright
- Site Admin
- Posts: 11470
- Joined: Tue Dec 23, 2003 2:10 am
- Location: Toronto
- Contact:
- evilmonkey
- Forum Regular
- Posts: 823
- Joined: Sun Oct 06, 2002 1:24 pm
- Location: Toronto, Canada
That's not what I'm saying. Remeber I said that if the string is over 5 characters, the time to crack it goes up exponentially? You're dealing with 32 characters, multiple times. That will take a long time (we're talking years), and won't be worth it to any hacker unless it's the PIN number to Bill Gates' personal bank account.Roja wrote:Sorry, no matter how many times you md5 it, its going to be 32 characters.evilmonkey wrote:Also, I would do something like md5(md5(md5($passvar)));. That'll confuse the hell out of the sorry sucker who's using mdcrack, and the resulting string would be 32 characters, whichwould take years to crack. And you'd have to do that 3 times according to my example. Not worth it, I think.
Multiple runs don't make it more secure - more confusing, perhaps - but not more secure.
In fact, sha1 by design does run one portion of its algorithm multiple times to increase its strength - but not the entire algorithm. Doing so reduces the entropy space, and the randomness - which makes things less secure.
Just wanted to say he got all 3 right.evilmonkey wrote:Hello Sami,Sami wrote:5 chars: d6aca7c53b1d7fbfd2aac0458808ac26
4 chars: 4f8de24d6093ac5d25c7cfafc474d49f
3 chars: fda71993dbb74d33a8d02806aafd4bba
Let's see if you can go 3/3.
Your 5 char hash is phpdn (~1 minute)
Your 4 char hash is sami (~1 second)
Your 3 char hash is heh (instant)
3/3?
No, you aren't. You are still dealing with one string - and the original string is *still* 5 characters - just because the output is 32 characters doesnt change the original input.evilmonkey wrote: That's not what I'm saying. Remeber I said that if the string is over 5 characters, the time to crack it goes up exponentially? You're dealing with 32 characters, multiple times.
Running it through multiple ciphers just increases the computation time for the attacker to test each iteration. If they know you use md5 three times, its just going to take 3x as long to do a dictionary attack.
By that logic, you might as well do it 100 times.
Worse, that only increases the attacker time if they know the method - if they dont, there is *no* change in the attack time - brute force guesses will take the same number of tries in the input system.
The same script you use to test single-md5 results can be redone to test triple-md5 results at a 3x increase.evilmonkey wrote: That will take a long time (we're talking years), and won't be worth it to any hacker unless it's the PIN number to Bill Gates' personal bank account.
So instead of your 5 char = ~ 1 minute, it would be ~ 3 minutes. 4 char ~ 1 second, would be ~ 3 seconds.
It doesnt increase it exponentially - it increases it linearly.
And much like md5 itself, you can easily generate a dictionary/collection of outputs to speed the attack up.
There is minimal advantage to doing multiple rounds of md5, and what little advantage it brings is trivial compared with using a different method, or focusing efforts on other portions of the security solution.
I have all this working now, thanks to all.
Now I have a follow-on question. Previously I had a "Forgotten Password?" page which sent users their password when they entered a valid email address. Now, using the md5 approach, the password is no longer retrievable as plain text. So what facility would you normally implement on your sites for forgotten passwords?
The way that I am thinking of doing this is to have a "Reset Password Request" form which asks for the user's email address and user name and then sends them a newly generated random password at that address.
The problem is of course that if another user knows your name and email address, they can request a password reset, which is annoying.
Now I have a follow-on question. Previously I had a "Forgotten Password?" page which sent users their password when they entered a valid email address. Now, using the md5 approach, the password is no longer retrievable as plain text. So what facility would you normally implement on your sites for forgotten passwords?
The way that I am thinking of doing this is to have a "Reset Password Request" form which asks for the user's email address and user name and then sends them a newly generated random password at that address.
The problem is of course that if another user knows your name and email address, they can request a password reset, which is annoying.
-
denlou
- Forum Newbie
- Posts: 17
- Joined: Fri Sep 24, 2004 7:11 pm
- Location: Richmond/Vancouver, BC
- Contact:
You really have to stop looking at the PhpBB DB man.feyd wrote:Create a random password generator. Add a "new_password" column in your users table. Set that field of their record when they request a forgotten password and email the information to them. If they log in without using it, then delete then clear the new_password field.