Welcome Guest, Not a member yet? Register   Sign In
phpass HAVE BEEN CRACKED! What is the solution?
#1

[eluser]vps4[/eluser]
http://www.openwall.com/phpass/

he said
Quote:I have written a simple tool for cracking Portable PHP password hashes, which Wordpress uses to hash user passwords. You pipe passwords to it and pass it a passwd file and it tries to crack the hashes.


[Image: phpass_crack.jpg]

so phpass same with MD5, sha1 also cracked

OMG..
#2

[eluser]Wuushu[/eluser]
Don't worry... it's called bruteforce cracking. It's been around for ages.. just have a good password with lowercase+uppercase+number combination and it doesn't matter.

I have a cracker that can do 500 million combinations per sec (uses 4 cpu + the 8800 GPU).. and with a 15 letter all-character password, it would take something like 2^E1294112 years... Smile


So remember... use a good password Smile and NEVER EVER type in your password in any of the "dictionarys" on the web, to get the md5 of it. Because they store it for their following lookups.
#3

[eluser]vps4[/eluser]
[quote author="Wuushu" date="1245187584"]Don't worry... it's called bruteforce cracking. It's been around for ages.. just have a good password with lowercase+uppercase+number combination and it doesn't matter.

I have a cracker that can do 500 million combinations per sec (uses 4 cpu + the 8800 GPU).. and with a 15 letter all-character password, it would take something like 2^E1294112 years... Smile


So remember... use a good password Smile and NEVER EVER type in your password in any of the "dictionarys" on the web, to get the md5 of it. Because they store it for their following lookups.[/quote]

thanks post. I can do this, but the members on my site can't do this all...
there have real money on their account.
#4

[eluser]jedd[/eluser]
Quote:thanks post. I can do this, but the members on my site can't do this all...
there have real money on their account.

Who has access to your hashed passwords?
#5

[eluser]deanf7[/eluser]
If your using MySQL you might want to try AES_ENCRYPT, or DES_ENCRYPT if you're using SSL. As far as I know neither one has been successfully cracked. The MySQL site recommends them if you need a really high level of security.
#6

[eluser]jdfwarrior[/eluser]
You can set a more secure password but your members can't? Why not? Set up password requirements. Force them to be a certain length/complexity. If your users complain, tell them they can use a secure password and know their money will be ok, or they can pick any old password they want as long as they know that your not to be held liable if it gets hacked, because they were warned.
#7

[eluser]vps4[/eluser]
[quote author="jedd" date="1245189805"]
Quote:thanks post. I can do this, but the members on my site can't do this all...
there have real money on their account.

Who has access to your hashed passwords?[/quote]

I have same question...
If no way to get hash value with username, is no way for hack.
So, why MD5 not safe? why phpass better?
#8

[eluser]vps4[/eluser]
thanks deanf7, i'll research it.
#9

[eluser]vps4[/eluser]
[quote author="jdfwarrior" date="1245190917"]You can set a more secure password but your members can't? Why not? Set up password requirements. Force them to be a certain length/complexity. If your users complain, tell them they can use a secure password and know their money will be ok, or they can pick any old password they want as long as they know that your not to be held liable if it gets hacked, because they were warned.[/quote]

I set a rule for password requirements
A-Za-z0-9
and
more than 8 length
is it enough?
most member hate the string except A-Za-z0-9
#10

[eluser]Yorick Peterse[/eluser]
Sha1() is "cracked", meaning that it will take ages before somebody figures out the password. By that time you've already figured out somebody's hacking your site and you'll ban him. Best practise is to use sha2 and a random salt,.




Theme © iAndrew 2016 - Forum software by © MyBB