Page 2 of 4

Posted: Fri Jun 30, 2006 5:44 pm
by Charles256
another reason, end users are notoriously lazy. they could be using the same password to their banking site that they use you for. if someone stole that password thentried some banking sites around they might get lucky and then they'll wonder how it happened..hate to be standing before a judge and saying..erm...see...typing md5() was kinda hard...heh. I know fixed it, just giving my two cents

Posted: Fri Jun 30, 2006 6:02 pm
by Luke
that was something I never even thought about before a previous discussion here... most people use the same password for sites that don't require that much security as they do for their banking sites and the fact is... if somebody were to hack the not-so-secure website, get your email and password (because the site admin was too lazy to type md5)... chances are if they tried enough places... eBay, banking sites, PAYPAL, etc. they are going to get lucky and make off with all your crap!

Posted: Sat Jul 01, 2006 12:57 pm
by AGISB
I can tell you a reason to have them in plain text as well.

If you run a script to notify the user about an insecure password. If someone uses a very simple password you can only detect it when it is chosen. Its kind of hard to check for all insecure passwords on the fly. So I like to have a script run at night to check for those passwords.

I however won't transmit them and they are in a special table that is only used by me and the script to analyse the security.

Posted: Sat Jul 01, 2006 1:00 pm
by Charles256
erm..how is it any harder to check them when they update and when they first create a user as opposed to checking every night? that actually seems redundant and a waste...don't see how that is an arguement for plain text passwords..... :?

Posted: Sat Jul 01, 2006 1:04 pm
by AGISB
Charles256 wrote:erm..how is it any harder to check them when they update and when they first create a user as opposed to checking every night? that actually seems redundant and a waste...don't see how that is an arguement for plain text passwords..... :?
You run dictionary checks on the fly?

Posted: Sat Jul 01, 2006 1:11 pm
by Charles256
why the devil not? it's a one time thing per user and the cost of a few seconds is well worth the added security you will get from not having plain text passwords.storing passwords as plain text is plain irresponsible.

Posted: Sat Jul 01, 2006 1:25 pm
by AGISB
Charles256 wrote:why the devil not? it's a one time thing per user and the cost of a few seconds is well worth the added security you will get from not having plain text passwords.storing passwords as plain text is plain irresponsible.
I totally disagree. As I stated they are stored in a special table of the database that is only accessable with a special mysql user. If someone gets into that I seriously have a whole lot of other problems to worry about.

The added security is minimal. You prepare for the near impossible superdisaster because if the database is hacked you should have probably paid more attention to secure the server. So if I store them for further usage in an extra secured table I have done nothing to make my site more insecure.

Posted: Sat Jul 01, 2006 2:59 pm
by basdog22
I think enough said... :P Just md5 your passwords and sometimes double md5 them :wink:

Posted: Sat Jul 01, 2006 3:05 pm
by Benjamin
There is no argument here. MD5 is more secure than plain text. Double MD5 is less secure than single MD5. I believe Roja can prove this and it has already been discussed in another thread.

Posted: Sat Jul 01, 2006 3:19 pm
by Charles256
which site is yours?that way I know where to never sign up. thanks for the info.

Posted: Sat Jul 01, 2006 3:20 pm
by basdog22
Yeah maybe you are right on that... never thought of it... :roll:

Can you point out the thread? I am really curious about it..

Posted: Sat Jul 01, 2006 3:27 pm
by Benjamin

Posted: Sat Jul 01, 2006 3:28 pm
by Charles256
viewtopic.php?t=44528&highlight=double+md5

erm..he didn't show the math but I trust Roja when it comes to security...just don't argue with him,he will destroy you :-D

Posted: Sat Jul 01, 2006 3:44 pm
by basdog22
Just as i thought it... And to display some pseudo maths:

if md5(2) has 2 possible hash values that match it, say md5(4d5f56df45dfdf45) and md5 (dsf56fds56fds65) then
md5(md5(2)) has more than 2 possible values that match.


the easiest brute forcer i can think of is:

Code: Select all

function bforceIt($hash,$initValue){
 if(md5($initValue)==$hash){
 die($initValue.'is a match');
}else{
$newValue=md5($initValue)
 bforceIt($hash,$newValue);
}
}
bforce('kj4j4h4hk45h44kj','basdog22');

Posted: Sat Jul 01, 2006 5:19 pm
by RobertGonzalez
AGISB wrote:I can tell you a reason to have them in plain text as well.

If you run a script to notify the user about an insecure password. If someone uses a very simple password you can only detect it when it is chosen. Its kind of hard to check for all insecure passwords on the fly. So I like to have a script run at night to check for those passwords.

I however won't transmit them and they are in a special table that is only used by me and the script to analyse the security.
Check the passwords on login and notify the user their passwords aren't strong. Users that don't visit don't need to be emailed. Users that do visit, need to be protected. Since they are there, take a second and give them a pretty little notice that they are being silly with their password.