11
davidl2
Re: using SHA-256 instead of md5
  • 2006/11/20 18:37

  • davidl2

  • XOOPS is my life!

  • Posts: 4843

  • Since: 2003/5/26


(In fact - this is used at: http://www.xoops.net.br/register.php - as the new registration alterntive....)

12
irmtfan
Re: using SHA-256 instead of md5
  • 2006/11/20 19:36

  • irmtfan

  • Module Developer

  • Posts: 3419

  • Since: 2003/12/7


by installing "protector" no one can use brute force under XOOPS website.

Quote:
encrypted_password = md5(secret_key . md5(cleartext_password))

indeed a very good idea to add to XOOPS database.
IMHO this way is far better than force users to choose secure passwords.some users dont like it and its not good to force users to do something to protect website

so users can choose weak passwords if they want. in the other side admin is sure that site is not under attack.
by the end everyone will be happy.

13
Dave_L
Re: using SHA-256 instead of md5
  • 2006/11/20 20:02

  • Dave_L

  • XOOPS is my life!

  • Posts: 2277

  • Since: 2003/11/7


Quote:
bubuche93 wrote:
Dave: i don't see how the secret key will improve the security, because it is stored in plaintext in mainfile.php.
Suppose the hacker finds a file include vuln. he'll be able to read the content of mainfile.php, connect to the database and find the md5 passwords no?


There are different kinds of attacks, and different layers of security.

The method I posted is only intended to make it very difficult to determine a user's password from his encrypted password.

The secret key could be stored in the database, maybe in the config table, instead of in mainfile.php. But I can't think of a way of hiding it completely, since it has to be accessable to the script for user authentication.

14
m0nty
Re: using SHA-256 instead of md5
  • 2006/11/20 20:23

  • m0nty

  • XOOPS is my life!

  • Posts: 3337

  • Since: 2003/10/24


Quote:

Suppose the hacker finds a file include vuln. he'll be able to read the content of mainfile.php, connect to the database and find the md5 passwords no?


couldn't he do that even if it was sha-256 encrypted aswell though?

either way, even if he has your md5 key, it's unlikely he'll be able to find out what password you actually use.. he might be able to find a key sequence that gives the same md5 key.. & if the hacker as got as far as a file include vulnerability then he could literally destroy the db or whatever regardless of what encryption method your site uses. he could also change the keys to some that he has produced anyway, so he could literally change your password to a password key that he knows. after all he has access to the DB itself.

stop the source of the exploitation rather than trying to solve an issue that could have been prevented at the source.

prevention is better than cure.

15
bubuche93
Re: using SHA-256 instead of md5
  • 2006/11/20 21:52

  • bubuche93

  • Just popping in

  • Posts: 25

  • Since: 2006/11/19


Quote:

m0nty wrote:
Quote:

Suppose the hacker finds a file include vuln. he'll be able to read the content of mainfile.php, connect to the database and find the md5 passwords no?


couldn't he do that even if it was sha-256 encrypted aswell though?

either way, even if he has your md5 key, it's unlikely he'll be able to find out what password you actually use.. he might be able to find a key sequence that gives the same md5 key.. & if the hacker as got as far as a file include vulnerability then he could literally destroy the db or whatever regardless of what encryption method your site uses. he could also change the keys to some that he has produced anyway, so he could literally change your password to a password key that he knows. after all he has access to the DB itself.

stop the source of the exploitation rather than trying to solve an issue that could have been prevented at the source.

prevention is better than cure.


I totally agree with you ! The hacker can erase the whole DB (and we will be able to restore it in a few minutes with the last backup), but he can also destroy my users mail account/website. It gets critical when the site is used by univ students and professors (this is my case) with MD hash in the table. SHA-2 will prevent the hacker destroying more than 1 XOOPS website !

Julian: for me, MD5 unsalted = plaintext because now a days we can use a rainbowtable to guess a 10 caracters long password in a few seconds !

I made the test, i successfully found 310+ passwords out of ~360. (users were obliged to choose at least a 6caracters long password on register)

16
m0nty
Re: using SHA-256 instead of md5
  • 2006/11/20 23:11

  • m0nty

  • XOOPS is my life!

  • Posts: 3337

  • Since: 2003/10/24


but surely then >

Quote:

encrypted_password = md5(secret_key . md5(cleartext_password))


would be enough then if he just grabs the key from the password key from the db without knowing the secret key.

even if he uses rainbow then, he may get a result with some keystrings that may produce that same md5 hash.. but in essence the users password would not be known because that whole md5 key is not a md5 hash of password.. it's an md5 hash of secret key + md5 pw..

maybe you could even md5 the secret key add it to the md5 pw and then md5 the result yet again.

pass = md5(md5(secret key).md5(password))

maybe i'm thinking differently tho & not along the lines of what you're asking (which i do understand) i'm just offering up alternative suggestions.

maybe even openPGP encryption? or key pairs?

17
MadFish
Re: using SHA-256 instead of md5
  • 2006/11/21 2:50

  • MadFish

  • Friend of XOOPS

  • Posts: 1056

  • Since: 2003/9/27


Would delegating authentication to LDAP server using the new feature improve security? Just a thought, I haven't played with this.

18
irmtfan
Re: using SHA-256 instead of md5
  • 2006/11/21 6:26

  • irmtfan

  • Module Developer

  • Posts: 3419

  • Since: 2003/12/7


Quote:
I made the test, i successfully found 310+ passwords out of ~360. (users were obliged to choose at least a 6caracters long password on register)


in a live site with "protector" or in local with the whole db access?

this is the main question.
surely no webmaster emails backup to hacker.

Login

Who's Online

255 user(s) are online (187 user(s) are browsing Support Forums)


Members: 0


Guests: 255


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Nov 30
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits