[pLog-svn] Salted MD5

Mark Wu markplace at gmail.com
Tue Mar 11 00:04:31 EDT 2008


Wow ... Thanks for this information. :D

Mark 

> -----Original Message-----
> From: plog-svn-bounces at devel.lifetype.net 
> [mailto:plog-svn-bounces at devel.lifetype.net] On Behalf Of Tsz 
> Ming WONG
> Sent: Tuesday, March 11, 2008 11:36 AM
> To: LifeType Developer List
> Subject: Re: [pLog-svn] Salted MD5
> 
> Hi guys,
> 
> This topic has been discussed at the wp-hackers list quite a 
> few months ago, and their result:
> 
> http://trac.wordpress.org/ticket/2394
> 
> Also appear on Drupal:
> 
> http://drupal.org/node/29706
> 
> 
> 
> On Tue, Mar 11, 2008 at 3:22 AM, Matt Wood <matt at woodzy.com> wrote:
> > The only reason you would salt passwords in a database means your 
> > concerned that the password db table has been compromised... if you 
> > fear that has happened then the salt that your storing in 
> the database 
> > is available to the attacker. Thus adding md5 or sha1 or sha256 of 
> > that salt to the password is no more secure than just appending the 
> > salt in plaintext. The same number of computations will be 
> required to "crack" the password hash.
> >
> > -Matt
> >
> > PS. md5/sha1 are not cryptographically secure hash 
> algorithms anymore 
> > (however probably are ok for this situation). any sha2 algorithm 
> > (sha256,
> > sha512) is suposedly.
> >
> >
> >
> > On Mon, Mar 10, 2008 at 11:32 AM, Mark Wu 
> <markplace at gmail.com> wrote:
> > >
> > > >
> > > >       How much more secure is than simply:
> > > >
> > > > md5($password . $private_key)
> > >
> > > Actually, it's no difference for normal people, but much 
> secure for 
> > > those hackers...
> > >
> > > BTW, VBB and IPB use:
> > >
> > > md5(md5($password).md5($private_key))
> > >
> > >
> > > >
> > > > And are there any downsides of the new method - ie. 
> will it fail 
> > > > on upgrades, or fail for certain servers, etc?
> > > >
> > >
> > > mmm .... for lifetype 2.0 . The minimal requirement is 
> php 5.1.x ...
> > >
> > > so, It won't be a problem.
> > >
> > > mhash become "hash" in pecl in php5, if there is no hash 
> installed, 
> > > it
> > will
> > > use the pure php  implementation...
> > >
> > >
> > >
> > >
> > > >
> > > > On Mon, 10 Mar 2008, Mark Wu wrote:
> > > >
> > > > > Here comes more secure algorithm:
> > > > >
> > > > > sha256(md5($password)+md5($your_provide_private_key));
> > > > >
> > > > > I use sha256 here.
> > > > >
> > > > > Here also comes the pure php sha256 implementation:
> > > > >
> > > > > http://nanolink.ca/pub/sha256/
> > > > >
> > > > > If the server has "hash" pecl, it will use it instead of
> > > > the pure one.
> > > > >
> > > > > Mark
> > > > >
> > > > >> -----Original Message-----
> > > > >> From: plog-svn-bounces at devel.lifetype.net
> > > > >> [mailto:plog-svn-bounces at devel.lifetype.net] On 
> Behalf Of Reto 
> > > > >> Hugi
> > > > >> Sent: Monday, March 10, 2008 7:25 PM
> > > > >> To: LifeType Developer List
> > > > >> Subject: Re: [pLog-svn] Salted MD5
> > > > >>
> > > > >> Hi Mark
> > > > >>
> > > > >> I welcome your suggestion and think that this is valuable 
> > > > >> protection against rainbow table attacks.
> > > > >>
> > > > >> We already had an issue with the revealed admin 
> password hash. 
> > > > >> This would have been less severe with the saltet md5.
> > > > >>
> > > > >> Thanks for suggesting!
> > > > >>
> > > > >> reto
> > > > >>
> > > > >> Mark Wu wrote:
> > > > >>> Hi All:
> > > > >>>
> > > > >>> I plan to upgrade our password algorithm to salted 
> MD5, take 
> > > > >>> the following for eaxample:
> > > > >>>
> > > > >>> sha1(md5($password) + user_defined_private_key);
> > > > >>>
> > > > >>> I will also remain an option in lifetype admin panel for
> > > > >> user to use
> > > > >>> the old MD5 way to keep compatability.
> > > > >>>
> > > > >>> If we use the algorithm above, It is also possible to
> > > > >> convert the old
> > > > >>> hashed password to new hased password.
> > > > >>>
> > > > >>> How do you think?
> > > > >>>
> > > > >>>
> > > > >>
> > > > 
> http://kuza55.blogspot.com/2006/10/online-reverse-lookup-tables-fo
> > > > r.ht
> > > > >>> ml
> > > > >>>
> > > > >>> These kind of online reverse lookup table sites making
> > > > the MD5 only
> > > > >>> algorithm more dangerous.
> > > > >>>
> > > > >>> Mark
> > > > >>>
> > > > >>>
> > > > >>>
> > > > >>>
> > > > >>>
> > > > >>
> > > > 
> ------------------------------------------------------------------
> > > > ----
> > > > >>> --
> > > > >>>
> > > > >>> _______________________________________________
> > > > >>> pLog-svn mailing list
> > > > >>> pLog-svn at devel.lifetype.net
> > > > >>> http://limedaley.com/mailman/listinfo/plog-svn
> > > > >>
> > > > >> _______________________________________________
> > > > >> pLog-svn mailing list
> > > > >> pLog-svn at devel.lifetype.net
> > > > >> http://limedaley.com/mailman/listinfo/plog-svn
> > > > >
> > > > > _______________________________________________
> > > > > pLog-svn mailing list
> > > > > pLog-svn at devel.lifetype.net
> > > > > http://limedaley.com/mailman/listinfo/plog-svn
> > > > >
> > > >
> > > > --
> > > > Jon Daley
> > > > http://jon.limedaley.com/
> > > >
> > > > We are all made different, but we are all sinners.
> > > > -- Jim Herron
> > > > _______________________________________________
> > > > pLog-svn mailing list
> > > > pLog-svn at devel.lifetype.net
> > > > http://limedaley.com/mailman/listinfo/plog-svn
> > >
> > > _______________________________________________
> > > pLog-svn mailing list
> > > pLog-svn at devel.lifetype.net
> > > http://limedaley.com/mailman/listinfo/plog-svn
> > >
> >
> >
> > _______________________________________________
> > pLog-svn mailing list
> > pLog-svn at devel.lifetype.net
> > http://limedaley.com/mailman/listinfo/plog-svn
> >
> 
> 
> 
> --
> Best Regards,
> tszming
> _______________________________________________
> pLog-svn mailing list
> pLog-svn at devel.lifetype.net
> http://limedaley.com/mailman/listinfo/plog-svn



More information about the pLog-svn mailing list