• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
phpass HAVE BEEN CRACKED! What is the solution?

#51
[eluser]Dennis Rasmussen[/eluser]
Slowgray is right about that.
Instead of doing more than one hash, use complicated salts and/or add in some concat/replace/encrypt/etc and only hash once with md5, sha512 or another algorithm.

If you hash the string more than once you may end up having more than one of the same results (collision).

#52
[eluser]WanWizard[/eluser]
It's been there for the last few years, when rainbow tables came in fashion.

Getting rid of it is quite difficult, because rehashing would require you to know the password. Can't break running sites, or reset all users passwords.
i'm thinking about doing this using sha1() after a succesful login (then I have access to the plain text password). I could use the length of the field to determine which method I need to be able to validate the password.

Another item on my very long todo list...

#53
[eluser]echoDreamz[/eluser]
[quote author="WanWizard" date="1286150596"]For ExiteCMS I even do double hashing:
Code:
// generate a random salt for this password
users->salt = md5(microtime(TRUE));

// create the new password hash
$users->password = md5(md5(set_value('newpassword')).$users->salt);
[/quote]

Do you store the salt somewhere? How do you compare the stored password against the one currently entered? since microtime() changes, the generated MD5 hash would never been the same even with the correct password.

#54
[eluser]WanWizard[/eluser]
The salt is stored in the user record at the moment, it is generated when the user record is created, or regenerated when the user changes the password.

We thought about storing the salt elsewhere, but imho the benifit is negligible, if a hacker can get in to the level that he has access to the database tables, he probably has access to all other data as well...

This is the code used in the local authentication module of ExiteCMS:
Code:
// attempt to get the user info
$user = $this->fetch( array('name' => set_value('auth_local_username') ) );

// a user found? then use the salt (if present) and check the password
if ( $user->id )
{
    // check if this is an MD5 or SHA1 password hash
    if ( strlen($user->password) == 32 )
    {
        if ( ! empty($user->password_salt) )
        {
            // encode the password
            $password = md5(md5(set_value('auth_local_password')).$user->password_salt);
        }
        else
        {
            // encode the password
            $password = md5(md5(set_value('auth_local_password')));
        }
    }
    else
    {
        if ( ! empty($user->password_salt) )
        {
            // encode the password
            $password = sha1(set_value('auth_local_password').$user->password_salt);
        }
        else
        {
            // encode the password
            $password = sha1(set_value('auth_local_password'));
        }
    }

    // does the encoded password match?
    if ( $password === $user->password )
    {
        // update the password to a SHA1 hashed password if needed
        if ( strlen($user->password) == 32 )
        {
            // generate a random salt for this password
            $user->password_salt = md5(microtime(TRUE));

            // create the new password hash
            $user->password = sha1(set_value('auth_local_password').$user->password_salt);
        }

        // we have a valid login. update the last_visit timestamp
        $user->lastvisit = now();
        $user->save();
    }
    else
    {
        // no match
        $user = $this->rbac->library->rbac->_dummy_user('guest');
    }
}

// user record found?
if ( ! $user->id )
{
    // no. logon failed, show an error message and signal failure
    $this->exitecms->message( $this->self->lang->line('authentication_account_unknown'), MSG_ERROR );
}

#55
[eluser]PermanaJ[/eluser]
My friends suggest me to use character that does not exist in keyboard as a password, such as ™, —, ž, etc Smile

but it will be hard to type in mobile device Smile

#56
[eluser]defectivereject[/eluser]
Safest way I've found is to salt the password then use the php encrypt function, and for extra measure I sha1 that but really don't need too as encrypt and salt is enough and recommended by f-secure

#57
[eluser]WanWizard[/eluser]
Use pbkdf2() instead of sha1(). No need to encrypt, hashing is sufficient. See here for a good article on the subject.

Note that it is important to use a fairly large number of iterations. For example iOS4 uses 10.000 iterations to hash passwords.

#58
[eluser]Unknown[/eluser]
I know this thread is old, but I just wanted to suggest something that I haven't found here and have your opinion.
The most secure methods are at risk when the hacker is after only one password and not the whole users table. Or, in lack of a target, I'd concentrate in the first records as, odds are, one (or more) of them is the admin.
A rather extreme, but very useful method is what Google and Steam do: two-factor authentication. Basically, after a successful login, send a unique token to the user's email or phone, have him enter it on the site, and remember it for 30 days or so. Is extremely unlikely for an attacker to have access to that unique code, and, if so, probably won't store cookies during the attack, prompting for the token each time.
You can do it as I described, by sending an email, or send it to the users phone using DUO Security API (if you can afford it - http://www.duosecurity.com/ ) or building your own mobile app.
I found this to be a very good security method when used along with a good hashing algorithm + random salt. What do you think?


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2019 MyBB Group.