m0nty wrote:
Quote:
Suppose the hacker finds a file include vuln. he'll be able to read the content of mainfile.php, connect to the database and find the md5 passwords no?
couldn't he do that even if it was sha-256 encrypted aswell though?
either way, even if he has your md5 key, it's unlikely he'll be able to find out what password you actually use.. he might be able to find a key sequence that gives the same md5 key.. & if the hacker as got as far as a file include vulnerability then he could literally destroy the db or whatever regardless of what encryption method your site uses. he could also change the keys to some that he has produced anyway, so he could literally change your password to a password key that he knows. after all he has access to the DB itself.
stop the source of the exploitation rather than trying to solve an issue that could have been prevented at the source.
prevention is better than cure.
I totally agree with you ! The hacker can erase the whole DB (and we will be able to restore it in a few minutes with the last backup), but he can also destroy my users mail account/website. It gets critical when the site is used by univ students and professors (this is my case) with MD hash in the table. SHA-2 will prevent the hacker destroying more than 1 XOOPS website !
Julian: for me, MD5 unsalted = plaintext because now a days we can use a rainbowtable to guess a 10 caracters long password in a few seconds !
I made the test, i successfully found 310+ passwords out of ~360. (users were obliged to choose at least a 6caracters long password on register)