[SOLVED]I almost dare not ask...

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

User avatar
Joe
Forum Regular
Posts: 939
Joined: Sun Feb 29, 2004 1:26 pm
Location: UK - Glasgow

Post by Joe »

Try a dictionary attack if you wish to achieve quick results?. Also, mdcrack is great :D
User avatar
Joe
Forum Regular
Posts: 939
Joined: Sun Feb 29, 2004 1:26 pm
Location: UK - Glasgow

Post by Joe »

Code: Select all

md5(sha1(str_rot13($passvar)));
A bit more secure I would say :P
Roja
Tutorials Group
Posts: 2692
Joined: Sun Jan 04, 2004 10:30 pm

Post by Roja »

Joe wrote:

Code: Select all

md5(sha1(str_rot13($passvar)));
A bit more secure I would say :P
hahahah.. oh geez. Thats scary.
User avatar
Joe
Forum Regular
Posts: 939
Joined: Sun Feb 29, 2004 1:26 pm
Location: UK - Glasgow

Post by Joe »

How is it scary?
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Post by Weirdan »

by applying hashing algorithm multiple times you're reducing enthropy of resulting hash, thus decreasing encryption strenght. It isn't more secure at best.
User avatar
evilmonkey
Forum Regular
Posts: 823
Joined: Sun Oct 06, 2002 1:24 pm
Location: Toronto, Canada

Post by evilmonkey »

Dull, mdcrack works great. ;) So does google. Also, Joe, I doubt phpdn would be in the dictionary. ;) Also, I would do something like md5(md5(md5($passvar)));. That'll confuse the hell out of the sorry sucker who's using mdcrack, and the resulting string would be 32 characters, whichwould take years to crack. And you'd have to do that 3 times according to my example. Not worth it, I think.
Roja
Tutorials Group
Posts: 2692
Joined: Sun Jan 04, 2004 10:30 pm

Post by Roja »

evilmonkey wrote:Also, I would do something like md5(md5(md5($passvar)));. That'll confuse the hell out of the sorry sucker who's using mdcrack, and the resulting string would be 32 characters, whichwould take years to crack. And you'd have to do that 3 times according to my example. Not worth it, I think.
Sorry, no matter how many times you md5 it, its going to be 32 characters.

Multiple runs don't make it more secure - more confusing, perhaps - but not more secure.

In fact, sha1 by design does run one portion of its algorithm multiple times to increase its strength - but not the entire algorithm. Doing so reduces the entropy space, and the randomness - which makes things less secure.
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

I have a php script but it takes a long, long, time. but it gets the job done.
User avatar
evilmonkey
Forum Regular
Posts: 823
Joined: Sun Oct 06, 2002 1:24 pm
Location: Toronto, Canada

Post by evilmonkey »

Roja wrote:
evilmonkey wrote:Also, I would do something like md5(md5(md5($passvar)));. That'll confuse the hell out of the sorry sucker who's using mdcrack, and the resulting string would be 32 characters, whichwould take years to crack. And you'd have to do that 3 times according to my example. Not worth it, I think.
Sorry, no matter how many times you md5 it, its going to be 32 characters.

Multiple runs don't make it more secure - more confusing, perhaps - but not more secure.

In fact, sha1 by design does run one portion of its algorithm multiple times to increase its strength - but not the entire algorithm. Doing so reduces the entropy space, and the randomness - which makes things less secure.
That's not what I'm saying. Remeber I said that if the string is over 5 characters, the time to crack it goes up exponentially? You're dealing with 32 characters, multiple times. That will take a long time (we're talking years), and won't be worth it to any hacker unless it's the PIN number to Bill Gates' personal bank account.
User avatar
m3mn0n
PHP Evangelist
Posts: 3548
Joined: Tue Aug 13, 2002 3:35 pm
Location: Calgary, Canada

Post by m3mn0n »

evilmonkey wrote:
Sami wrote:5 chars: d6aca7c53b1d7fbfd2aac0458808ac26
4 chars: 4f8de24d6093ac5d25c7cfafc474d49f
3 chars: fda71993dbb74d33a8d02806aafd4bba

Let's see if you can go 3/3. 8)
Hello Sami,

Your 5 char hash is phpdn (~1 minute)
Your 4 char hash is sami (~1 second)
Your 3 char hash is heh (instant)

3/3? :lol:
Just wanted to say he got all 3 right. :wink:
Roja
Tutorials Group
Posts: 2692
Joined: Sun Jan 04, 2004 10:30 pm

Post by Roja »

evilmonkey wrote: That's not what I'm saying. Remeber I said that if the string is over 5 characters, the time to crack it goes up exponentially? You're dealing with 32 characters, multiple times.
No, you aren't. You are still dealing with one string - and the original string is *still* 5 characters - just because the output is 32 characters doesnt change the original input.

Running it through multiple ciphers just increases the computation time for the attacker to test each iteration. If they know you use md5 three times, its just going to take 3x as long to do a dictionary attack.

By that logic, you might as well do it 100 times.

Worse, that only increases the attacker time if they know the method - if they dont, there is *no* change in the attack time - brute force guesses will take the same number of tries in the input system.
evilmonkey wrote: That will take a long time (we're talking years), and won't be worth it to any hacker unless it's the PIN number to Bill Gates' personal bank account.
The same script you use to test single-md5 results can be redone to test triple-md5 results at a 3x increase.

So instead of your 5 char = ~ 1 minute, it would be ~ 3 minutes. 4 char ~ 1 second, would be ~ 3 seconds.

It doesnt increase it exponentially - it increases it linearly.

And much like md5 itself, you can easily generate a dictionary/collection of outputs to speed the attack up.

There is minimal advantage to doing multiple rounds of md5, and what little advantage it brings is trivial compared with using a different method, or focusing efforts on other portions of the security solution.
User avatar
Jean-Yves
Forum Contributor
Posts: 148
Joined: Wed Jul 02, 2003 2:13 pm
Location: West Country, UK

Post by Jean-Yves »

I have all this working now, thanks to all.

Now I have a follow-on question. Previously I had a "Forgotten Password?" page which sent users their password when they entered a valid email address. Now, using the md5 approach, the password is no longer retrievable as plain text. So what facility would you normally implement on your sites for forgotten passwords?

The way that I am thinking of doing this is to have a "Reset Password Request" form which asks for the user's email address and user name and then sends them a newly generated random password at that address.

The problem is of course that if another user knows your name and email address, they can request a password reset, which is annoying.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Create a random password generator. Add a "new_password" column in your users table. Set that field of their record when they request a forgotten password and email the information to them. If they log in without using it, then delete then clear the new_password field.
denlou
Forum Newbie
Posts: 17
Joined: Fri Sep 24, 2004 7:11 pm
Location: Richmond/Vancouver, BC
Contact:

Post by denlou »

feyd wrote:Create a random password generator. Add a "new_password" column in your users table. Set that field of their record when they request a forgotten password and email the information to them. If they log in without using it, then delete then clear the new_password field.
You really have to stop looking at the PhpBB DB man.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

I don't look at the phpBB database very often.. I've just been working in it for long enough that I know too much about it.. it works pretty well overall though.. (ignoring the code anyways :P)
Post Reply