Code2Design.com

Yes, I do need help...

I have been working on web junk way too long and I really needed a blog so I could rest and have a chance to talk about nothingness.

User login

The Layout

Programming

Graphic Design

Resources

Navigation

C2D Projects

Unsystematic Affiliates

AK Pro N1 Studios Christian Cosmos T-Tutorials 

Change Language

Who's online

There are currently 0 users and 5 guests online.

MD5, hashes, passwords, salts and more

1) You need to salt your passwords.

"Assume a user's secret key is stolen and he is known to use one of 200,000 English words as his password. The system uses a 32-bit salt (like md5). Because of this salt, the attacker's pre-calculated hashes are of no value. He/she must calculate the hash of each word with each of 2^32 (4,294,967,296) possible salts appended until a match is found. The total number of possible inputs can be obtained by multiplying the number of words in the dictionary with the number of possible salts:

2^{32} \times 200 000 = 8.58993459 \times 10^{14}

To complete a brute-force attack, the attacker must now compute about 800 trillion hashes, instead of only 200,000. Even though the password itself is known to be simple, the secret salt makes breaking the password radically more difficult." - http://en.wikipedia.org/wiki/Salt_(cryptography)

2) Now that I got that off my chest I recommend this awesome PHP class http://www.openwall.com/phpass/ as even WORDPRESS has started using it.

3) Plain md5 is just too simple to crack - it is like WEP in WIFI: http://md5.rednoize.com/

4) Rainbow Tables can kill your simple PHP scripts: http://www.antsight.com/zsl/rainbowcrack/
http://en.wikipedia.org/wiki/Rainbow_table

So please, I don't want to see anyone still using plain md5() hashes - at least use a salt!

http://www.lightbluetouchpaper.org/2007/11/16/google-as-a-password-cracker/
http://phpsec.org/articles/2005/password-hashing.html


Submitted by David on April 8, 2008 - 8:04pm. |
David's blog | printer friendly version

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd> <br> <br /> <h3>
  • Lines and paragraphs break automatically.
  • You may post code using <code>...</code> (generic) or <?php ... ?> (highlighted PHP) tags.
  • You can use BBCode tags in the text, URLs will be automatically converted to links
More information about formatting options



Like what you see?

Why not add more? C2D is looking for other Christian Web Masters who would like to help write articles for this site. If you have expericance in FLASH, CSS/HTML, PHP/MySQL, PhotoShop/GIMP, Blender, Javascript, or just General Design - our users would love to hear what you have to say. Contact Us

delicious   digg   reddit   magnoliacom   newsvine   furl   google   yahoo   technorati