CodeIgniter Forums
phpass HAVE BEEN CRACKED! What is the solution? - Printable Version

+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Archived Discussions (https://forum.codeigniter.com/forum-20.html)
+--- Forum: Archived Development & Programming (https://forum.codeigniter.com/forum-23.html)
+--- Thread: phpass HAVE BEEN CRACKED! What is the solution? (/thread-19706.html)

Pages: 1 2 3 4 5 6


phpass HAVE BEEN CRACKED! What is the solution? - El Forum - 06-16-2009

[eluser]vps4[/eluser]
http://www.openwall.com/phpass/

he said
Quote:I have written a simple tool for cracking Portable PHP password hashes, which Wordpress uses to hash user passwords. You pipe passwords to it and pass it a passwd file and it tries to crack the hashes.


[Image: phpass_crack.jpg]

so phpass same with MD5, sha1 also cracked

OMG..


phpass HAVE BEEN CRACKED! What is the solution? - El Forum - 06-16-2009

[eluser]Wuushu[/eluser]
Don't worry... it's called bruteforce cracking. It's been around for ages.. just have a good password with lowercase+uppercase+number combination and it doesn't matter.

I have a cracker that can do 500 million combinations per sec (uses 4 cpu + the 8800 GPU).. and with a 15 letter all-character password, it would take something like 2^E1294112 years... Smile


So remember... use a good password Smile and NEVER EVER type in your password in any of the "dictionarys" on the web, to get the md5 of it. Because they store it for their following lookups.


phpass HAVE BEEN CRACKED! What is the solution? - El Forum - 06-16-2009

[eluser]vps4[/eluser]
[quote author="Wuushu" date="1245187584"]Don't worry... it's called bruteforce cracking. It's been around for ages.. just have a good password with lowercase+uppercase+number combination and it doesn't matter.

I have a cracker that can do 500 million combinations per sec (uses 4 cpu + the 8800 GPU).. and with a 15 letter all-character password, it would take something like 2^E1294112 years... Smile


So remember... use a good password Smile and NEVER EVER type in your password in any of the "dictionarys" on the web, to get the md5 of it. Because they store it for their following lookups.[/quote]

thanks post. I can do this, but the members on my site can't do this all...
there have real money on their account.


phpass HAVE BEEN CRACKED! What is the solution? - El Forum - 06-16-2009

[eluser]jedd[/eluser]
Quote:thanks post. I can do this, but the members on my site can't do this all...
there have real money on their account.

Who has access to your hashed passwords?


phpass HAVE BEEN CRACKED! What is the solution? - El Forum - 06-16-2009

[eluser]deanf7[/eluser]
If your using MySQL you might want to try AES_ENCRYPT, or DES_ENCRYPT if you're using SSL. As far as I know neither one has been successfully cracked. The MySQL site recommends them if you need a really high level of security.


phpass HAVE BEEN CRACKED! What is the solution? - El Forum - 06-16-2009

[eluser]jdfwarrior[/eluser]
You can set a more secure password but your members can't? Why not? Set up password requirements. Force them to be a certain length/complexity. If your users complain, tell them they can use a secure password and know their money will be ok, or they can pick any old password they want as long as they know that your not to be held liable if it gets hacked, because they were warned.


phpass HAVE BEEN CRACKED! What is the solution? - El Forum - 06-16-2009

[eluser]vps4[/eluser]
[quote author="jedd" date="1245189805"]
Quote:thanks post. I can do this, but the members on my site can't do this all...
there have real money on their account.

Who has access to your hashed passwords?[/quote]

I have same question...
If no way to get hash value with username, is no way for hack.
So, why MD5 not safe? why phpass better?


phpass HAVE BEEN CRACKED! What is the solution? - El Forum - 06-16-2009

[eluser]vps4[/eluser]
thanks deanf7, i'll research it.


phpass HAVE BEEN CRACKED! What is the solution? - El Forum - 06-16-2009

[eluser]vps4[/eluser]
[quote author="jdfwarrior" date="1245190917"]You can set a more secure password but your members can't? Why not? Set up password requirements. Force them to be a certain length/complexity. If your users complain, tell them they can use a secure password and know their money will be ok, or they can pick any old password they want as long as they know that your not to be held liable if it gets hacked, because they were warned.[/quote]

I set a rule for password requirements
A-Za-z0-9
and
more than 8 length
is it enough?
most member hate the string except A-Za-z0-9


phpass HAVE BEEN CRACKED! What is the solution? - El Forum - 06-16-2009

[eluser]Yorick Peterse[/eluser]
Sha1() is "cracked", meaning that it will take ages before somebody figures out the password. By that time you've already figured out somebody's hacking your site and you'll ban him. Best practise is to use sha2 and a random salt,.