Ranter
Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
Comments
-
hiken18778y@grauschnabel md5 is considered cryptographically insecure, see this http://stackoverflow.com/questions/...
-
hiken18778y@le717 true that can happen, good that you patched it up, we are always learning how to do things better
-
I have a perfect solution for password security: I assign users with random md5 hashes as passwords. Than I save those in DB as plain text. If an user wants a new password, I just give them a new hash. If someone hacks the DB they'll see a lot of hashes that they'll try to decypher. And I'll be LOLing with an evil genious laughter... /s
-
So, MD5 is insecure, which are secure then? They're all hashing, so how do I know which are good to go and which not?? I admit to using MD5 under the guise that it was at least a little bit secure xD
-
@grauschnabel AFAIK The problem with MD5 is that it's extremely fast to compute. Many orders of magnitude faster than bcrypt, which makes it more vulnerable to attack via modern GPUs. I am not sure about hash collisions, and what's the rate of that vs other hash algorithms.
-
martin6248y@juzles It's not. You may use md5 to forcefully set a password, but when the user logs in (or at some other point) Wordpress will use a better algo to re-create the hash
-
hiken18778y@Saborknight bcrypt is well recommend for password hashing, if you are using a language like PHP (> 5.5) it has built in functions to help with this
-
@hiken awesome thanks. Consider me to have seen the light and return from my wanderings between the dark side and ways of the Jedi. Thank you for that :)
-
I've seen mysql() calls in php and cleartext passwords in 2016 so I'd say you're ok x)
-
Also password hashing algorithms should be purposely slow to make brute forcing of passwords harder, should anyone ever manage to get a dump of your database.
-
hiken18778y@deusprogrammer true but together with other controls on the application side to prevent an inadvertent ddos attack
-
juzles38618y@Saborknight if you use php there is a built in api for password hashing and checks that cover more security concerns.
Check: http://php.net/manual/en/... -
arekxv10548yMD5 is not "broken", it just in SOME instances and if not used correctly can be problematic as it can cause collision where two different sources of data will result in same MD5 hash.
If you want to do collision attack you will need to know the salt and that resulting hash (in which case you have the access to the database) and hope that you can send arbitrary password length and/or character combination in order to generate the colliding hash which is easier said than done for most sites.
It is still perfectly safe IMO to use it with passwords in legacy systems, as long as you do it correctly. For new systems...SHA should be used since it provides even more secure solution 😊
Related Rants
-
hexacore3Picked up a legacy site to re-build, turns out just adding: '?admin=1' to the query string gave you full ad...
-
blauesocke6One of our customer thought it would be too unsecure to send us his AWS credentials by email. So he printed it...
-
Tale-Of-X97Don't know if this has been post yet before but ohhh well
Password hashing using md5, it is 2016!! I have seen a sys admin update a user password using a MySQL query
undefined
wk25