Suggestion: Salt md5 passwords with $dbpass
If someone compromises the DB and tries to crack the passwords... then they already have the dbpass (well, probably), so it's not as effective is it? Unless the idea is to prevent pre-generated md5s from being used.
"The truth is a trap: you can not get it without it getting you; you cannot get the truth by capturing it, only by its capturing you." - Søren Kierkegaard
-
The Beatles
- Fear me for I am root
- Posts: 6285
- Joined: Tue May 24, 2005 8:12 pm
If they have the db compromised and access to the md5 hash, then surely they have access to the username?The Beatles wrote: Yes, that was silly, wasn't it? I probably meant with their username.
Or did you mean a salt derived from the username (some weird way of splitting it up or what not)?
This the issue I see with salts in our case:
1) The algorithm for generating them is public
2) The hash, if compromised, pretty much means every other bit of data stored with it is most likely compromised
...unless the salt method/data is stored in a config file and is generated by some config program. In which case we're fine as long as they don't compromise both source and db.
We probably should renovate the pass storage and stuff... maybe switch to SHA-1 while we're at it.
EDIT: http://en.wikipedia.org/wiki/Salt_%28cryptography%29
I guess they claim that the usage is primarily to prevent the use of pre-generated dictionary attacks - forcing the attacker to generate all of the hashes. Hmmm, I had always thought it was also just to make it hard to break as well but maybe not I guess. In that case then, we don't really need to make it private. Using username would be good because it would prevent checking against the whole db.
"The truth is a trap: you can not get it without it getting you; you cannot get the truth by capturing it, only by its capturing you." - Søren Kierkegaard
-
The Beatles
- Fear me for I am root
- Posts: 6285
- Joined: Tue May 24, 2005 8:12 pm
-
Slasher
- The FAF Forums SMEGHEAD!!! lol
- Posts: 2635
- Joined: Mon May 03, 2004 5:08 pm
- Location: http://florida4us.com/
- Contact:
They are on about md5 passwords in the SQL database (I think) and ways of making them more secure (I think). md5 can now be cracked (So I heared/read) so they are looking for more secure ways of storing passwords (I think).Urran Voh wrote: Does anyone else (besides Devari) have any clue as to what these two are talking about?
Not sure but its something to do with md5
-
bjornredtail
- Warbands Admin
- Posts: 821
- Joined: Tue Apr 20, 2004 12:07 am
- Contact:
MD5 sums can only be found by brute force, or dictionary attacks. The MD5 dictionary attack often depends on pre-summed values to avoid having to take the MD5 of every word in the dictionary, thereby saving some processing time. By adding a salt (some odd additional characters), this defeats the pre-calculated tables, requiring an attacker with password hashes to calculate the hash for any given password, as opposed to just using a pre-calculated table.
0===)=B=j=o=r=n==R=e=d=t=a=i=l==>
Warbands Admin
"Program testing can be used to show the presence of bugs, but never to show their absence!"-Edsger W. Dijkstra
Warbands Admin
"Program testing can be used to show the presence of bugs, but never to show their absence!"-Edsger W. Dijkstra
better store as plain text, so the person who is going to hack will be happier and problably will not cause much harm...
Death's alright with me
When it's on TV
Death's alright with me
How funny it can be hahaha
Death's alright to me
Put me on deathrow
My gun is on the shelf
I guess I'll go and shoot myself
When it's on TV
Death's alright with me
How funny it can be hahaha
Death's alright to me
Put me on deathrow
My gun is on the shelf
I guess I'll go and shoot myself
Heh. The taoist/defeatist IT strategy.Cfelicio wrote: better store as plain text, so the person who is going to hack will be happier and problably will not cause much harm...
I think Slasher is referring to reports of collisions in md5.
"The truth is a trap: you can not get it without it getting you; you cannot get the truth by capturing it, only by its capturing you." - Søren Kierkegaard
-
Tetigustas shadowson
- Forum Maniac
- Posts: 261
- Joined: Thu Nov 24, 2005 8:19 pm
- Location: frozen like a pizza some place deep in the hart of Alaska
personally I would like to see a package the attackers reach first off a small db that’s not really a db instead its alive ....*laughs*
it records your computers settings and saves the user data alright and when they open the fake db payload it changes the attackers computer settings to mirror yours...
in essence an STD for computers only you want this one because its contagious to hackers...
Could you imagine their drive suddenly changing from a 50 gig to a 4.3 gig.…*laughs*
Or their CPU settings go nuts because it’s a super colossal CPU not a Pentium 2…haha
Don’t get me started I could happily smash some fingers for what s been done to our server in the past.
it records your computers settings and saves the user data alright and when they open the fake db payload it changes the attackers computer settings to mirror yours...
in essence an STD for computers only you want this one because its contagious to hackers...
Could you imagine their drive suddenly changing from a 50 gig to a 4.3 gig.…*laughs*
Or their CPU settings go nuts because it’s a super colossal CPU not a Pentium 2…haha
Don’t get me started I could happily smash some fingers for what s been done to our server in the past.
tu voulez assassiner moi pour terre crotte, quand tu être tel chiffre de quelqu'un.
ponier de feut
If you want to make enemies, try to change something.
President Woodrow Wilson
If drug abuse is a disease, then a drug war is a crime.
Unknown
War is like 'Hide n seek' when your found your usualy killed, you best be realy good at it, you only get to play once
Tetigustas Shadowson
It is fatal to enter any war without the will to win it.
General Douglas MacArthur
It is only the dead who have seen the end of war.
Plato
The art of war is simple enough. Find out where your enemy is. Get at him as soon as you can. Strike him as hard as you can, and keep moving.
Ulysses S Grant
The whole art of war consists of guessing at what is on the other side of the hill.
Duke of Wellington
ponier de feut
If you want to make enemies, try to change something.
President Woodrow Wilson
If drug abuse is a disease, then a drug war is a crime.
Unknown
War is like 'Hide n seek' when your found your usualy killed, you best be realy good at it, you only get to play once
Tetigustas Shadowson
It is fatal to enter any war without the will to win it.
General Douglas MacArthur
It is only the dead who have seen the end of war.
Plato
The art of war is simple enough. Find out where your enemy is. Get at him as soon as you can. Strike him as hard as you can, and keep moving.
Ulysses S Grant
The whole art of war consists of guessing at what is on the other side of the hill.
Duke of Wellington
-
Slasher
- The FAF Forums SMEGHEAD!!! lol
- Posts: 2635
- Joined: Mon May 03, 2004 5:08 pm
- Location: http://florida4us.com/
- Contact:
I dunno what I was referring to *laughs*... I know the passwords are stored or were stored as md5 which was suposedly uncrackable... However it's possible to crack it now (I think)...Veranor wrote:Heh. The taoist/defeatist IT strategy.Cfelicio wrote: better store as plain text, so the person who is going to hack will be happier and problably will not cause much harm...
I think Slasher is referring to reports of collisions in md5.
-
The Beatles
- Fear me for I am root
- Posts: 6285
- Joined: Tue May 24, 2005 8:12 pm
-
Members connected in real time
