Page 2 of 2

Posted: Mon Sep 26, 2005 10:21 am
by shiflett
php_wiz_kid wrote:Devnetwork says our best bet is using the crypt() function.
I'm not sure how you can claim that you're not trying to speak for anybody when you clearly are. Others are justified in chiding you for this.

Regardless, this is a very poor suggestion.

Basically, because of recent discoveries regarding the MD5 algorithm, you're suggesting that everyone return to DES, an algorithm that was broken nearly a decade ago. You really think this is a good idea?

Even the book Cracking DES was published in 1998.

Posted: Mon Sep 26, 2005 7:38 pm
by Ambush Commander
On an unrelated note:
They could be guessing people's passwords, although that seems a bit unlikely. =/
Actually, it's very likely. Remember, in any fairly secure system, the user is often the weakest link.

Sorry, it's a bit out of nowhere post.

Posted: Fri Nov 25, 2005 12:56 pm
by RaH
I know I'm very late on this, but I have a few questions.

You never mentioned what avenue you thought they were using to gain access. Why would you first look at your login?
If it is your login are you sure they are not using the old ' OR '' = ' s?

Is it possible that they are using injection somewhere else to actually read your database and it just so happened that these two accounts had very weak passwords? Is it possible that these two accounts passwords were just guessed?

Other than a monkey in the middle attack or an attacker using XSS on your users, the script looks solid.

automatic salt for crypt

Posted: Thu Oct 19, 2006 8:12 pm
by Amuro Hajime
I currently use the crypt() function set to MD5 without a salt. I am kind of confused at the moment because when I read the php.net entry for crypt() it says:
If the salt argument is not provided, one will be randomly generated by PHP each time you call this function.
So when I go: $hash = crypt("mypassword");

Is that the same as using md5 with a salt (if crypt was set to use MD5)? I don't want to get into a debate on how secure MD5 is but I would like to use a salt with it and it seems that if PHP is randomly generating one in crypt() then that would be more secure then me having a $salt variable that I defined lying around for someone to look at when they hack my site.

Posted: Thu Oct 19, 2006 8:26 pm
by John Cartwright
Thread necromancy is a definate no no :wink:

Please start a new thread, and if need be, reference this thread with a link.

Thread locked.