[pLog-svn] Salted MD5
Mark Wu
markplace at gmail.com
Mon Mar 10 12:32:29 EDT 2008
>
> How much more secure is than simply:
>
> md5($password . $private_key)
Actually, it's no difference for normal people, but much secure for those
hackers...
BTW, VBB and IPB use:
md5(md5($password).md5($private_key))
>
> And are there any downsides of the new method - ie. will it
> fail on upgrades, or fail for certain servers, etc?
>
mmm .... for lifetype 2.0 . The minimal requirement is php 5.1.x ...
so, It won't be a problem.
mhash become "hash" in pecl in php5, if there is no hash installed, it will
use the pure php implementation...
>
> On Mon, 10 Mar 2008, Mark Wu wrote:
>
> > Here comes more secure algorithm:
> >
> > sha256(md5($password)+md5($your_provide_private_key));
> >
> > I use sha256 here.
> >
> > Here also comes the pure php sha256 implementation:
> >
> > http://nanolink.ca/pub/sha256/
> >
> > If the server has "hash" pecl, it will use it instead of
> the pure one.
> >
> > Mark
> >
> >> -----Original Message-----
> >> From: plog-svn-bounces at devel.lifetype.net
> >> [mailto:plog-svn-bounces at devel.lifetype.net] On Behalf Of Reto Hugi
> >> Sent: Monday, March 10, 2008 7:25 PM
> >> To: LifeType Developer List
> >> Subject: Re: [pLog-svn] Salted MD5
> >>
> >> Hi Mark
> >>
> >> I welcome your suggestion and think that this is valuable
> >> protection against rainbow table attacks.
> >>
> >> We already had an issue with the revealed admin password
> >> hash. This would have been less severe with the saltet md5.
> >>
> >> Thanks for suggesting!
> >>
> >> reto
> >>
> >> Mark Wu wrote:
> >>> Hi All:
> >>>
> >>> I plan to upgrade our password algorithm to salted MD5, take the
> >>> following for eaxample:
> >>>
> >>> sha1(md5($password) + user_defined_private_key);
> >>>
> >>> I will also remain an option in lifetype admin panel for
> >> user to use
> >>> the old MD5 way to keep compatability.
> >>>
> >>> If we use the algorithm above, It is also possible to
> >> convert the old
> >>> hashed password to new hased password.
> >>>
> >>> How do you think?
> >>>
> >>>
> >>
> http://kuza55.blogspot.com/2006/10/online-reverse-lookup-tables-for.ht
> >>> ml
> >>>
> >>> These kind of online reverse lookup table sites making
> the MD5 only
> >>> algorithm more dangerous.
> >>>
> >>> Mark
> >>>
> >>>
> >>>
> >>>
> >>>
> >>
> ----------------------------------------------------------------------
> >>> --
> >>>
> >>> _______________________________________________
> >>> pLog-svn mailing list
> >>> pLog-svn at devel.lifetype.net
> >>> http://limedaley.com/mailman/listinfo/plog-svn
> >>
> >> _______________________________________________
> >> pLog-svn mailing list
> >> pLog-svn at devel.lifetype.net
> >> http://limedaley.com/mailman/listinfo/plog-svn
> >
> > _______________________________________________
> > pLog-svn mailing list
> > pLog-svn at devel.lifetype.net
> > http://limedaley.com/mailman/listinfo/plog-svn
> >
>
> --
> Jon Daley
> http://jon.limedaley.com/
>
> We are all made different, but we are all sinners.
> -- Jim Herron
> _______________________________________________
> pLog-svn mailing list
> pLog-svn at devel.lifetype.net
> http://limedaley.com/mailman/listinfo/plog-svn
More information about the pLog-svn
mailing list