MD5'ing Passwords
Moderator: General Moderators
-
Charles256
- DevNet Resident
- Posts: 1375
- Joined: Fri Sep 16, 2005 9:06 pm
another reason, end users are notoriously lazy. they could be using the same password to their banking site that they use you for. if someone stole that password thentried some banking sites around they might get lucky and then they'll wonder how it happened..hate to be standing before a judge and saying..erm...see...typing md5() was kinda hard...heh. I know fixed it, just giving my two cents
that was something I never even thought about before a previous discussion here... most people use the same password for sites that don't require that much security as they do for their banking sites and the fact is... if somebody were to hack the not-so-secure website, get your email and password (because the site admin was too lazy to type md5)... chances are if they tried enough places... eBay, banking sites, PAYPAL, etc. they are going to get lucky and make off with all your crap!
I can tell you a reason to have them in plain text as well.
If you run a script to notify the user about an insecure password. If someone uses a very simple password you can only detect it when it is chosen. Its kind of hard to check for all insecure passwords on the fly. So I like to have a script run at night to check for those passwords.
I however won't transmit them and they are in a special table that is only used by me and the script to analyse the security.
If you run a script to notify the user about an insecure password. If someone uses a very simple password you can only detect it when it is chosen. Its kind of hard to check for all insecure passwords on the fly. So I like to have a script run at night to check for those passwords.
I however won't transmit them and they are in a special table that is only used by me and the script to analyse the security.
-
Charles256
- DevNet Resident
- Posts: 1375
- Joined: Fri Sep 16, 2005 9:06 pm
-
Charles256
- DevNet Resident
- Posts: 1375
- Joined: Fri Sep 16, 2005 9:06 pm
I totally disagree. As I stated they are stored in a special table of the database that is only accessable with a special mysql user. If someone gets into that I seriously have a whole lot of other problems to worry about.Charles256 wrote:why the devil not? it's a one time thing per user and the cost of a few seconds is well worth the added security you will get from not having plain text passwords.storing passwords as plain text is plain irresponsible.
The added security is minimal. You prepare for the near impossible superdisaster because if the database is hacked you should have probably paid more attention to secure the server. So if I store them for further usage in an extra secured table I have done nothing to make my site more insecure.
-
Charles256
- DevNet Resident
- Posts: 1375
- Joined: Fri Sep 16, 2005 9:06 pm
-
Charles256
- DevNet Resident
- Posts: 1375
- Joined: Fri Sep 16, 2005 9:06 pm
viewtopic.php?t=44528&highlight=double+md5
erm..he didn't show the math but I trust Roja when it comes to security...just don't argue with him,he will destroy you
erm..he didn't show the math but I trust Roja when it comes to security...just don't argue with him,he will destroy you
Just as i thought it... And to display some pseudo maths:
if md5(2) has 2 possible hash values that match it, say md5(4d5f56df45dfdf45) and md5 (dsf56fds56fds65) then
md5(md5(2)) has more than 2 possible values that match.
the easiest brute forcer i can think of is:
if md5(2) has 2 possible hash values that match it, say md5(4d5f56df45dfdf45) and md5 (dsf56fds56fds65) then
md5(md5(2)) has more than 2 possible values that match.
the easiest brute forcer i can think of is:
Code: Select all
function bforceIt($hash,$initValue){
if(md5($initValue)==$hash){
die($initValue.'is a match');
}else{
$newValue=md5($initValue)
bforceIt($hash,$newValue);
}
}
bforce('kj4j4h4hk45h44kj','basdog22');- RobertGonzalez
- Site Administrator
- Posts: 14293
- Joined: Tue Sep 09, 2003 6:04 pm
- Location: Fremont, CA, USA
Check the passwords on login and notify the user their passwords aren't strong. Users that don't visit don't need to be emailed. Users that do visit, need to be protected. Since they are there, take a second and give them a pretty little notice that they are being silly with their password.AGISB wrote:I can tell you a reason to have them in plain text as well.
If you run a script to notify the user about an insecure password. If someone uses a very simple password you can only detect it when it is chosen. Its kind of hard to check for all insecure passwords on the fly. So I like to have a script run at night to check for those passwords.
I however won't transmit them and they are in a special table that is only used by me and the script to analyse the security.