phpass HAVE BEEN CRACKED! What is the solution? |
[eluser]vps4[/eluser]
my solution is, when login attempts with the wrong password more than 3 times, the account will be disabled and the IP will be banned. by this solution, may I use MD5?
[eluser]Dam1an[/eluser]
why implement an elaborate solution, just to use the weakest hashing algorithm known to man? Also, it's more traditional to not block the user, but to prevent login attempts for 15 or so minutes This means they need (number of password combinations / 3) * 15 minutes to try them all... not gonna happen Also, never underestimate real users locking themselves out, which can become a support nightmare Also, people with dynamic IPs may 'inherit' a blocked IP
[eluser]vps4[/eluser]
[quote author="Dam1an" date="1245195168"]why implement an elaborate solution, just to use the weakest hashing algorithm known to man? Also, it's more traditional to not block the user, but to prevent login attempts for 15 or so minutes This means they need (number of password combinations / 3) * 15 minutes to try them all... not gonna happen Also, never underestimate real users locking themselves out, which can become a support nightmare Also, people with dynamic IPs may 'inherit' a blocked IP[/quote] thanks a lot. it is helpful for me.
[eluser]jdfwarrior[/eluser]
Both, in theory, could be cracked it just becomes infeasible to do so, due to the amount of required to do it. MD5 is a 128bit hash where SHA1 is 256bit. The MD5 algorithm is more likely to generate a collision than some of the better hashing algorithms. Agreeing with Dam1an on the lockout policy. It could become a real headache. Never underestimate a user's stupidity Some people can't remember their password from day to day. Sad, but it happens. You would go crazy resetting passwords for people every day. "most member hate the string except A-Za-z0-9" - meaning what? They hate the length requirement? They can hate it all they want, the length requirements NEEDS to be there. Without it, I promise you, you would end up with users having passwords like, "Ab1". They would probably end up using their initials and a number. Set good password requirements, use a good hashing algorithm, and limit the number of attempts within a certain time period. If the user exceeds that, lock them out for a predefined amount of time. You should be good with that.
[eluser]Dam1an[/eluser]
[quote author="jdfwarrior" date="1245196172"] "most member hate the string except A-Za-z0-9" - meaning what? They hate the length requirement? They can hate it all they want, the length requirements NEEDS to be there. Without it, I promise you, you would end up with users having passwords like, "Ab1". They would probably end up using their initials and a number.[/quote] You're users come up with such elaborate passwords? I wish mine did that, instead of just a, b, c (and thats 3 passwords, not one with spaces and special chars )
[eluser]jdfwarrior[/eluser]
[quote author="Dam1an" date="1245196488"][quote author="jdfwarrior" date="1245196172"] "most member hate the string except A-Za-z0-9" - meaning what? They hate the length requirement? They can hate it all they want, the length requirements NEEDS to be there. Without it, I promise you, you would end up with users having passwords like, "Ab1". They would probably end up using their initials and a number.[/quote] You're users come up with such elaborate passwords? I wish mine did that, instead of just a, b, c (and thats 3 passwords, not one with spaces and special chars )[/quote] You and I need to have a sit down tonight about your password requirements, or lack there of What I really like is the notorious use of passwords such as: password abc123 admin user123
[eluser]Yorick Peterse[/eluser]
My uncle once used the password "peter" (my dad's name) to protect our router so I couldn't remove my internet limitation. "Hacked" it in a minute
[eluser]jedd[/eluser]
I'd really like to ask my question again, but it might come across as though I'm taking the piss. Oh, bugger it. Who has access to your hashed password list? If your site allows people to hit a few million dictionary attacks an hour, then here's a clue - your problem is not the password encryption algorithm. If you allow visibility of your password column in your table - your problem is not .. (etc).
[eluser]n0xie[/eluser]
This is why you randomly salt your hashes. (yes randomly, not via a encryption key I see some of the 'auth' libraries do) Even if you expose your whole user table to the outside world, an attacker would have to build an unique rainbow table for each row, making it a lot less attractive. Anyway, rainbow tables are not really the issue. It's the hashing algorithms that are at 'fault'. I suggest anyone really interested in the subject read this even if it's just for this memorable quote: Quote:There are three big differences between Provos-Mazieres and PHK’s scheme:
[eluser]Tom Schlick[/eluser]
[quote author="n0xie" date="1245215407"]This is why you randomly salt your hashes. (yes randomly, not via a encryption key I see some of the 'auth' libraries do) Even if you expose your whole user table to the outside world, an attacker would have to build an unique rainbow table for each row, making it a lot less attractive. Anyway, rainbow tables are not really the issue. It's the hashing algorithms that are at 'fault'. I suggest anyone really interested in the subject read this even if it's just for this memorable quote: Quote:There are three big differences between Provos-Mazieres and PHK’s scheme:[/quote] mine does both. it uses a random salt for each user combined with thier password and on the other end is what i call 'pepper' which is exactly like the encryption key but a differant string. this way if they steal your db they dont have the one that is in the code. which makes it impossible to access the passwords (without 500 super computers and about 10,000 years) |
Welcome Guest, Not a member yet? Register Sign In |