[pLog-svn] Salted MD5

Mark Wu markplace at gmail.com
Tue Mar 11 00:04:03 EDT 2008 

That's why I use (MD5($password)+MD5($salt)) to keep it easy to upgrade.
 
And use sha256() to enhence the security level.
 
Mark


  _____  

From: plog-svn-bounces at devel.lifetype.net
[mailto:plog-svn-bounces at devel.lifetype.net] On Behalf Of Matt Wood
Sent: Tuesday, March 11, 2008 3:23 AM
To: LifeType Developer List
Subject: Re: [pLog-svn] Salted MD5


The only reason you would salt passwords in a database means your concerned
that the password db table has been compromised... if you fear that has
happened then the salt that your storing in the database is available to the
attacker. Thus adding md5 or sha1 or sha256 of that salt to the password is
no more secure than just appending the salt in plaintext. The same number of
computations will be required to "crack" the password hash.

-Matt

PS. md5/sha1 are not cryptographically secure hash algorithms anymore
(however probably are ok for this situation). any sha2 algorithm (sha256,
sha512) is suposedly.


On Mon, Mar 10, 2008 at 11:32 AM, Mark Wu <markplace at gmail.com> wrote:


>
>       How much more secure is than simply:
>
> md5($password . $private_key)


Actually, it's no difference for normal people, but much secure for those
hackers...

BTW, VBB and IPB use:

md5(md5($password).md5($private_key))


>
> And are there any downsides of the new method - ie. will it
> fail on upgrades, or fail for certain servers, etc?
>


mmm .... for lifetype 2.0 . The minimal requirement is php 5.1.x ...

so, It won't be a problem.

mhash become "hash" in pecl in php5, if there is no hash installed, it will
use the pure php  implementation...


>
> On Mon, 10 Mar 2008, Mark Wu wrote:
>
> > Here comes more secure algorithm:
> >
> > sha256(md5($password)+md5($your_provide_private_key));
> >
> > I use sha256 here.
> >
> > Here also comes the pure php sha256 implementation:
> >
> > http://nanolink.ca/pub/sha256/
> >
> > If the server has "hash" pecl, it will use it instead of
> the pure one.
> >
> > Mark
> >
> >> -----Original Message-----
> >> From: plog-svn-bounces at devel.lifetype.net
> >> [mailto:plog-svn-bounces at devel.lifetype.net] On Behalf Of Reto Hugi
> >> Sent: Monday, March 10, 2008 7:25 PM
> >> To: LifeType Developer List
> >> Subject: Re: [pLog-svn] Salted MD5
> >>
> >> Hi Mark
> >>
> >> I welcome your suggestion and think that this is valuable
> >> protection against rainbow table attacks.
> >>
> >> We already had an issue with the revealed admin password
> >> hash. This would have been less severe with the saltet md5.
> >>
> >> Thanks for suggesting!
> >>
> >> reto
> >>
> >> Mark Wu wrote:
> >>> Hi All:
> >>>
> >>> I plan to upgrade our password algorithm to salted MD5, take the
> >>> following for eaxample:
> >>>
> >>> sha1(md5($password) + user_defined_private_key);
> >>>
> >>> I will also remain an option in lifetype admin panel for
> >> user to use
> >>> the old MD5 way to keep compatability.
> >>>
> >>> If we use the algorithm above, It is also possible to
> >> convert the old
> >>> hashed password to new hased password.
> >>>
> >>> How do you think?
> >>>
> >>>
> >>
> http://kuza55.blogspot.com/2006/10/online-reverse-lookup-tables-for.ht
> >>> ml
> >>>
> >>> These kind of online reverse lookup table sites making
> the MD5 only
> >>> algorithm more dangerous.
> >>>
> >>> Mark
> >>>
> >>>
> >>>
> >>>
> >>>
> >>
> ----------------------------------------------------------------------
> >>> --
> >>>
> >>> _______________________________________________
> >>> pLog-svn mailing list
> >>> pLog-svn at devel.lifetype.net
> >>> http://limedaley.com/mailman/listinfo/plog-svn
> >>
> >> _______________________________________________
> >> pLog-svn mailing list
> >> pLog-svn at devel.lifetype.net
> >> http://limedaley.com/mailman/listinfo/plog-svn
> >
> > _______________________________________________
> > pLog-svn mailing list
> > pLog-svn at devel.lifetype.net
> > http://limedaley.com/mailman/listinfo/plog-svn
> >
>
> --
> Jon Daley
> http://jon.limedaley.com/
>
> We are all made different, but we are all sinners.
> -- Jim Herron
> _______________________________________________
> pLog-svn mailing list
> pLog-svn at devel.lifetype.net
> http://limedaley.com/mailman/listinfo/plog-svn

_______________________________________________
pLog-svn mailing list
pLog-svn at devel.lifetype.net
http://limedaley.com/mailman/listinfo/plog-svn



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://limedaley.com/pipermail/plog-svn/attachments/20080311/71f83779/attachment.htm

More information about the pLog-svn mailing list