[pLog-svn] Salted MD5

Tsz Ming WONG tszming at gmail.com
Mon Mar 10 23:35:49 EDT 2008 

Hi guys,

This topic has been discussed at the wp-hackers list quite a few
months ago, and their result:

http://trac.wordpress.org/ticket/2394

Also appear on Drupal:

http://drupal.org/node/29706



On Tue, Mar 11, 2008 at 3:22 AM, Matt Wood <matt at woodzy.com> wrote:
> The only reason you would salt passwords in a database means your concerned
> that the password db table has been compromised... if you fear that has
> happened then the salt that your storing in the database is available to the
> attacker. Thus adding md5 or sha1 or sha256 of that salt to the password is
> no more secure than just appending the salt in plaintext. The same number of
> computations will be required to "crack" the password hash.
>
> -Matt
>
> PS. md5/sha1 are not cryptographically secure hash algorithms anymore
> (however probably are ok for this situation). any sha2 algorithm (sha256,
> sha512) is suposedly.
>
>
>
> On Mon, Mar 10, 2008 at 11:32 AM, Mark Wu <markplace at gmail.com> wrote:
> >
> > >
> > >       How much more secure is than simply:
> > >
> > > md5($password . $private_key)
> >
> > Actually, it's no difference for normal people, but much secure for those
> > hackers...
> >
> > BTW, VBB and IPB use:
> >
> > md5(md5($password).md5($private_key))
> >
> >
> > >
> > > And are there any downsides of the new method - ie. will it
> > > fail on upgrades, or fail for certain servers, etc?
> > >
> >
> > mmm .... for lifetype 2.0 . The minimal requirement is php 5.1.x ...
> >
> > so, It won't be a problem.
> >
> > mhash become "hash" in pecl in php5, if there is no hash installed, it
> will
> > use the pure php  implementation...
> >
> >
> >
> >
> > >
> > > On Mon, 10 Mar 2008, Mark Wu wrote:
> > >
> > > > Here comes more secure algorithm:
> > > >
> > > > sha256(md5($password)+md5($your_provide_private_key));
> > > >
> > > > I use sha256 here.
> > > >
> > > > Here also comes the pure php sha256 implementation:
> > > >
> > > > http://nanolink.ca/pub/sha256/
> > > >
> > > > If the server has "hash" pecl, it will use it instead of
> > > the pure one.
> > > >
> > > > Mark
> > > >
> > > >> -----Original Message-----
> > > >> From: plog-svn-bounces at devel.lifetype.net
> > > >> [mailto:plog-svn-bounces at devel.lifetype.net] On Behalf Of Reto Hugi
> > > >> Sent: Monday, March 10, 2008 7:25 PM
> > > >> To: LifeType Developer List
> > > >> Subject: Re: [pLog-svn] Salted MD5
> > > >>
> > > >> Hi Mark
> > > >>
> > > >> I welcome your suggestion and think that this is valuable
> > > >> protection against rainbow table attacks.
> > > >>
> > > >> We already had an issue with the revealed admin password
> > > >> hash. This would have been less severe with the saltet md5.
> > > >>
> > > >> Thanks for suggesting!
> > > >>
> > > >> reto
> > > >>
> > > >> Mark Wu wrote:
> > > >>> Hi All:
> > > >>>
> > > >>> I plan to upgrade our password algorithm to salted MD5, take the
> > > >>> following for eaxample:
> > > >>>
> > > >>> sha1(md5($password) + user_defined_private_key);
> > > >>>
> > > >>> I will also remain an option in lifetype admin panel for
> > > >> user to use
> > > >>> the old MD5 way to keep compatability.
> > > >>>
> > > >>> If we use the algorithm above, It is also possible to
> > > >> convert the old
> > > >>> hashed password to new hased password.
> > > >>>
> > > >>> How do you think?
> > > >>>
> > > >>>
> > > >>
> > > http://kuza55.blogspot.com/2006/10/online-reverse-lookup-tables-for.ht
> > > >>> ml
> > > >>>
> > > >>> These kind of online reverse lookup table sites making
> > > the MD5 only
> > > >>> algorithm more dangerous.
> > > >>>
> > > >>> Mark
> > > >>>
> > > >>>
> > > >>>
> > > >>>
> > > >>>
> > > >>
> > > ----------------------------------------------------------------------
> > > >>> --
> > > >>>
> > > >>> _______________________________________________
> > > >>> pLog-svn mailing list
> > > >>> pLog-svn at devel.lifetype.net
> > > >>> http://limedaley.com/mailman/listinfo/plog-svn
> > > >>
> > > >> _______________________________________________
> > > >> pLog-svn mailing list
> > > >> pLog-svn at devel.lifetype.net
> > > >> http://limedaley.com/mailman/listinfo/plog-svn
> > > >
> > > > _______________________________________________
> > > > pLog-svn mailing list
> > > > pLog-svn at devel.lifetype.net
> > > > http://limedaley.com/mailman/listinfo/plog-svn
> > > >
> > >
> > > --
> > > Jon Daley
> > > http://jon.limedaley.com/
> > >
> > > We are all made different, but we are all sinners.
> > > -- Jim Herron
> > > _______________________________________________
> > > pLog-svn mailing list
> > > pLog-svn at devel.lifetype.net
> > > http://limedaley.com/mailman/listinfo/plog-svn
> >
> > _______________________________________________
> > pLog-svn mailing list
> > pLog-svn at devel.lifetype.net
> > http://limedaley.com/mailman/listinfo/plog-svn
> >
>
>
> _______________________________________________
> pLog-svn mailing list
> pLog-svn at devel.lifetype.net
> http://limedaley.com/mailman/listinfo/plog-svn
>



-- 
Best Regards,
tszming

More information about the pLog-svn mailing list