Re: using SHA-256 instead of md5 [Q and A] - XOOPS Web Application System

11

Re: using SHA-256 instead of md5

2006/11/20 18:37
davidl2
XOOPS is my life!
Posts: 4843
Since: 2003/5/26

(In fact - this is used at: http://www.xoops.net.br/register.php - as the new registration alterntive....)

12

Re: using SHA-256 instead of md5

2006/11/20 19:36
irmtfan
Module Developer
Posts: 3419
Since: 2003/12/7

by installing "protector" no one can use brute force under XOOPS website.

Quote:

encrypted_password = md5(secret_key . md5(cleartext_password))

indeed a very good idea to add to XOOPS database.
IMHO this way is far better than force users to choose secure passwords.some users dont like it and its not good to force users to do something to protect website

so users can choose weak passwords if they want. in the other side admin is sure that site is not under attack.
by the end everyone will be happy.

Ready for Romance
First Persian Harry Potter Site(English added) | Persian Support Site | Xoops Persian Project

13

Re: using SHA-256 instead of md5

2006/11/20 20:02
Dave_L
XOOPS is my life!
Posts: 2277
Since: 2003/11/7

Quote:

bubuche93 wrote:
Dave: i don't see how the secret key will improve the security, because it is stored in plaintext in mainfile.php.
Suppose the hacker finds a file include vuln. he'll be able to read the content of mainfile.php, connect to the database and find the md5 passwords no?

There are different kinds of attacks, and different layers of security.

The method I posted is only intended to make it very difficult to determine a user's password from his encrypted password.

The secret key could be stored in the database, maybe in the config table, instead of in mainfile.php. But I can't think of a way of hiding it completely, since it has to be accessable to the script for user authentication.

14

Re: using SHA-256 instead of md5

2006/11/20 20:23
m0nty
XOOPS is my life!
Posts: 3337
Since: 2003/10/24

Quote:

Suppose the hacker finds a file include vuln. he'll be able to read the content of mainfile.php, connect to the database and find the md5 passwords no?

couldn't he do that even if it was sha-256 encrypted aswell though?

either way, even if he has your md5 key, it's unlikely he'll be able to find out what password you actually use.. he might be able to find a key sequence that gives the same md5 key.. & if the hacker as got as far as a file include vulnerability then he could literally destroy the db or whatever regardless of what encryption method your site uses. he could also change the keys to some that he has produced anyway, so he could literally change your password to a password key that he knows. after all he has access to the DB itself.

stop the source of the exploitation rather than trying to solve an issue that could have been prevented at the source.

prevention is better than cure.

15

Re: using SHA-256 instead of md5

2006/11/20 21:52
bubuche93
Just popping in
Posts: 25
Since: 2006/11/19

Quote:

m0nty wrote:
Quote:

Suppose the hacker finds a file include vuln. he'll be able to read the content of mainfile.php, connect to the database and find the md5 passwords no?

couldn't he do that even if it was sha-256 encrypted aswell though?

either way, even if he has your md5 key, it's unlikely he'll be able to find out what password you actually use.. he might be able to find a key sequence that gives the same md5 key.. & if the hacker as got as far as a file include vulnerability then he could literally destroy the db or whatever regardless of what encryption method your site uses. he could also change the keys to some that he has produced anyway, so he could literally change your password to a password key that he knows. after all he has access to the DB itself.

stop the source of the exploitation rather than trying to solve an issue that could have been prevented at the source.

prevention is better than cure.

I totally agree with you ! The hacker can erase the whole DB (and we will be able to restore it in a few minutes with the last backup), but he can also destroy my users mail account/website. It gets critical when the site is used by univ students and professors (this is my case) with MD hash in the table. SHA-2 will prevent the hacker destroying more than 1 XOOPS website !

Julian: for me, MD5 unsalted = plaintext because now a days we can use a rainbowtable to guess a 10 caracters long password in a few seconds !

I made the test, i successfully found 310+ passwords out of ~360. (users were obliged to choose at least a 6caracters long password on register)

16

Re: using SHA-256 instead of md5

2006/11/20 23:11
m0nty
XOOPS is my life!
Posts: 3337
Since: 2003/10/24

but surely then >

Quote:

encrypted_password = md5(secret_key . md5(cleartext_password))

would be enough then if he just grabs the key from the password key from the db without knowing the secret key.

even if he uses rainbow then, he may get a result with some keystrings that may produce that same md5 hash.. but in essence the users password would not be known because that whole md5 key is not a md5 hash of password.. it's an md5 hash of secret key + md5 pw..

maybe you could even md5 the secret key add it to the md5 pw and then md5 the result yet again.

pass = md5(md5(secret key).md5(password))

maybe i'm thinking differently tho & not along the lines of what you're asking (which i do understand) i'm just offering up alternative suggestions.

maybe even openPGP encryption? or key pairs?

17

Re: using SHA-256 instead of md5

2006/11/21 2:50
MadFish
Friend of XOOPS
Posts: 1056
Since: 2003/9/27

Would delegating authentication to LDAP server using the new feature improve security? Just a thought, I haven't played with this.

hhttps://xoops.org

18

Re: using SHA-256 instead of md5

2006/11/21 6:26
irmtfan
Module Developer
Posts: 3419
Since: 2003/12/7

Quote:

I made the test, i successfully found 310+ passwords out of ~360. (users were obliged to choose at least a 6caracters long password on register)

in a live site with "protector" or in local with the whole db access?

this is the main question.
surely no webmaster emails backup to hacker.

Ready for Romance
First Persian Harry Potter Site(English added) | Persian Support Site | Xoops Persian Project

Stats
Goal:	$100.00
Due Date:	Nov 30
Gross Amount:	$0.00
Net Balance:	$0.00
Left to go:	$100.00

Re: using SHA-256 instead of md5

Re: using SHA-256 instead of md5

Re: using SHA-256 instead of md5

Re: using SHA-256 instead of md5

Re: using SHA-256 instead of md5

Re: using SHA-256 instead of md5

Re: using SHA-256 instead of md5

Re: using SHA-256 instead of md5

Login

Search

Recent Posts

XOOPS MyMenus 1.54.0 Beta 10

Re: XOOPS MyMenus 1.54.0 Beta 7

Re: XOOPS MyMenus 1.54.0 Beta 7

Re: XOOPS MyMenus 1.54.0 Beta 7

Re: XOOPS MyMenus 1.54.0 Beta 7

Re: XOOPS MyMenus 1.54.0 Beta 7

Re: XOOPS MyMenus 1.54.0 Beta 7

Re: XOOPS MyMenus 1.54.0 Beta 7

Re: XOOPS MyMenus 1.54.0 Beta 7

Re: XOOPS MyMenus 1.54.0 Beta 7

Who's Online

Donat-O-Meter

Latest GitHub Commits

{{ record.sha.slice(0, 7) }} - {{ record.commit.message | truncate }}