Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.
Moderator: General Moderators
twinedev
Forum Regular
Posts: 984 Joined: Tue Sep 28, 2010 11:41 am
Location: Columbus, Ohio
Post
by twinedev » Thu Jun 07, 2012 11:31 am
While is has been preached here for a while that MD5 is not a good choice to use for password hashing, it was definitely confirmed:
http://phk.freebsd.dk/sagas/md5crypt_eol.html
As the author of md5crypt, I implore everybody to migrate to a stronger password scrambler without undue delay.
More info:
http://www.zdnet.com/blog/security/md5- ... safe/12317 including:
The primary cause [of the decrypting of some of the 6.4 million passwords leaked] is LinkedIn’s failure to properly ’salt’ the hashed passwords using SHA-1 algorithm.
Saw an article this morning that eharmony was also compromised, however didn't catch if they are also being easily decrypted.
-Greg
Celauran
Moderator
Posts: 6427 Joined: Tue Nov 09, 2010 2:39 pm
Location: Montreal, Canada
Post
by Celauran » Thu Jun 07, 2012 11:45 am
This simply cannot be mentioned often enough. Thanks for posting this.
twinedev
Forum Regular
Posts: 984 Joined: Tue Sep 28, 2010 11:41 am
Location: Columbus, Ohio
Post
by twinedev » Thu Jun 07, 2012 2:49 pm
twinedev
Forum Regular
Posts: 984 Joined: Tue Sep 28, 2010 11:41 am
Location: Columbus, Ohio
Post
by twinedev » Thu Jun 07, 2012 2:52 pm
I declare it "(Inter)National Change Your Password Day" LOL
requinix
Spammer :|
Posts: 6617 Joined: Wed Oct 15, 2008 2:35 am
Location: WA, USA
Post
by requinix » Thu Jun 07, 2012 9:05 pm
As others have mentioned elsewhere, the whole "scrambler" thing bothers me.
Meanwhile SHA-1 is getting towards the end of its lifetime too. Current recommendations are at least SHA-256.
greyhoundcode
Forum Regular
Posts: 613 Joined: Mon Feb 11, 2008 4:22 am
Post
by greyhoundcode » Thu Jun 14, 2012 9:30 am
requinix wrote: Current recommendations are at least SHA-256.
Or indeed to move away from such rapidly executing hash functions altogether.
twinedev
Forum Regular
Posts: 984 Joined: Tue Sep 28, 2010 11:41 am
Location: Columbus, Ohio
Post
by twinedev » Sat Jun 16, 2012 7:10 am
greyhoundcode wrote: Or indeed to move away from such rapidly executing hash functions altogether.
So then what do you suggest?
Celauran
Moderator
Posts: 6427 Joined: Tue Nov 09, 2010 2:39 pm
Location: Montreal, Canada
Post
by Celauran » Sat Jun 16, 2012 10:36 am
bcrypt with a high work factor.
requinix
Spammer :|
Posts: 6617 Joined: Wed Oct 15, 2008 2:35 am
Location: WA, USA
Post
by requinix » Fri Jul 13, 2012 12:40 am
carrington01 wrote: I thought MD5 secured and safe. Is it true that it is considered no longer safe??
Yes. And stop spamming.