<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<META content="MSHTML 6.00.6000.16608" name=GENERATOR></HEAD>
<BODY>
<DIV dir=ltr align=left><SPAN class=969120004-11032008><FONT face=新細明體
color=#0000ff size=2>That's why I use (MD5($password)+MD5($salt)) to keep it
easy to upgrade.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=969120004-11032008><FONT face=新細明體
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=969120004-11032008><FONT face=新細明體
color=#0000ff size=2>And use sha256() to enhence the security
level.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=969120004-11032008><FONT face=新細明體
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=969120004-11032008><FONT face=新細明體
color=#0000ff size=2>Mark</FONT></SPAN></DIV><BR>
<BLOCKQUOTE
style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #0000ff 2px solid; MARGIN-RIGHT: 0px">
<DIV class=OutlookMessageHeader lang=zh-tw dir=ltr align=left>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> plog-svn-bounces@devel.lifetype.net
[mailto:plog-svn-bounces@devel.lifetype.net] <B>On Behalf Of </B>Matt
Wood<BR><B>Sent:</B> Tuesday, March 11, 2008 3:23 AM<BR><B>To:</B> LifeType
Developer List<BR><B>Subject:</B> Re: [pLog-svn] Salted
MD5<BR></FONT><BR></DIV>
<DIV></DIV>The only reason you would salt passwords in a database means your
concerned that the password db table has been compromised... if you fear that
has happened then the salt that your storing in the database is available to
the attacker. Thus adding md5 or sha1 or sha256 of that salt to the password
is no more secure than just appending the salt in plaintext. The same number
of computations will be required to "crack" the password
hash.<BR><BR>-Matt<BR><BR>PS. md5/sha1 are not cryptographically secure hash
algorithms anymore (however probably are ok for this situation). any sha2
algorithm (sha256, sha512) is suposedly.<BR><BR>
<DIV class=gmail_quote>On Mon, Mar 10, 2008 at 11:32 AM, Mark Wu <<A
href="mailto:markplace@gmail.com">markplace@gmail.com</A>> wrote:<BR>
<BLOCKQUOTE class=gmail_quote
style="PADDING-LEFT: 1ex; MARGIN: 0pt 0pt 0pt 0.8ex; BORDER-LEFT: rgb(204,204,204) 1px solid">
<DIV class=Ih2E3d>><BR>> How much more secure is
than simply:<BR>><BR>> md5($password .
$private_key)<BR><BR></DIV>Actually, it's no difference for normal people,
but much secure for those<BR>hackers...<BR><BR>BTW, VBB and IPB
use:<BR><BR>md5(md5($password).md5($private_key))<BR>
<DIV class=Ih2E3d><BR>><BR>> And are there any downsides of the new
method - ie. will it<BR>> fail on upgrades, or fail for certain servers,
etc?<BR>><BR><BR></DIV>mmm .... for lifetype 2.0 . The minimal
requirement is php 5.1.x ...<BR><BR>so, It won't be a problem.<BR><BR>mhash
become "hash" in pecl in php5, if there is no hash installed, it will<BR>use
the pure php implementation...<BR>
<DIV>
<DIV></DIV>
<DIV class=Wj3C7c><BR>><BR>> On Mon, 10 Mar 2008, Mark Wu
wrote:<BR>><BR>> > Here comes more secure algorithm:<BR>>
><BR>> >
sha256(md5($password)+md5($your_provide_private_key));<BR>> ><BR>>
> I use sha256 here.<BR>> ><BR>> > Here also comes the pure
php sha256 implementation:<BR>> ><BR>> > <A
href="http://nanolink.ca/pub/sha256/"
target=_blank>http://nanolink.ca/pub/sha256/</A><BR>> ><BR>> >
If the server has "hash" pecl, it will use it instead of<BR>> the pure
one.<BR>> ><BR>> > Mark<BR>> ><BR>> >>
-----Original Message-----<BR>> >> From: <A
href="mailto:plog-svn-bounces@devel.lifetype.net">plog-svn-bounces@devel.lifetype.net</A><BR>>
>> [mailto:<A
href="mailto:plog-svn-bounces@devel.lifetype.net">plog-svn-bounces@devel.lifetype.net</A>]
On Behalf Of Reto Hugi<BR>> >> Sent: Monday, March 10, 2008 7:25
PM<BR>> >> To: LifeType Developer List<BR>> >> Subject:
Re: [pLog-svn] Salted MD5<BR>> >><BR>> >> Hi Mark<BR>>
>><BR>> >> I welcome your suggestion and think that this is
valuable<BR>> >> protection against rainbow table attacks.<BR>>
>><BR>> >> We already had an issue with the revealed admin
password<BR>> >> hash. This would have been less severe with the
saltet md5.<BR>> >><BR>> >> Thanks for suggesting!<BR>>
>><BR>> >> reto<BR>> >><BR>> >> Mark Wu
wrote:<BR>> >>> Hi All:<BR>> >>><BR>>
>>> I plan to upgrade our password algorithm to salted MD5, take
the<BR>> >>> following for eaxample:<BR>>
>>><BR>> >>> sha1(md5($password) +
user_defined_private_key);<BR>> >>><BR>> >>> I will
also remain an option in lifetype admin panel for<BR>> >> user to
use<BR>> >>> the old MD5 way to keep compatability.<BR>>
>>><BR>> >>> If we use the algorithm above, It is also
possible to<BR>> >> convert the old<BR>> >>> hashed
password to new hased password.<BR>> >>><BR>> >>>
How do you think?<BR>> >>><BR>> >>><BR>>
>><BR>> <A
href="http://kuza55.blogspot.com/2006/10/online-reverse-lookup-tables-for.ht"
target=_blank>http://kuza55.blogspot.com/2006/10/online-reverse-lookup-tables-for.ht</A><BR>>
>>> ml<BR>> >>><BR>> >>> These kind of
online reverse lookup table sites making<BR>> the MD5 only<BR>>
>>> algorithm more dangerous.<BR>> >>><BR>>
>>> Mark<BR>> >>><BR>> >>><BR>>
>>><BR>> >>><BR>> >>><BR>>
>><BR>>
----------------------------------------------------------------------<BR>>
>>> --<BR>> >>><BR>> >>>
_______________________________________________<BR>> >>>
pLog-svn mailing list<BR>> >>> <A
href="mailto:pLog-svn@devel.lifetype.net">pLog-svn@devel.lifetype.net</A><BR>>
>>> <A href="http://limedaley.com/mailman/listinfo/plog-svn"
target=_blank>http://limedaley.com/mailman/listinfo/plog-svn</A><BR>>
>><BR>> >>
_______________________________________________<BR>> >> pLog-svn
mailing list<BR>> >> <A
href="mailto:pLog-svn@devel.lifetype.net">pLog-svn@devel.lifetype.net</A><BR>>
>> <A href="http://limedaley.com/mailman/listinfo/plog-svn"
target=_blank>http://limedaley.com/mailman/listinfo/plog-svn</A><BR>>
><BR>> > _______________________________________________<BR>>
> pLog-svn mailing list<BR>> > <A
href="mailto:pLog-svn@devel.lifetype.net">pLog-svn@devel.lifetype.net</A><BR>>
> <A href="http://limedaley.com/mailman/listinfo/plog-svn"
target=_blank>http://limedaley.com/mailman/listinfo/plog-svn</A><BR>>
><BR>><BR>> --<BR>> Jon Daley<BR>> <A
href="http://jon.limedaley.com/"
target=_blank>http://jon.limedaley.com/</A><BR>><BR>> We are all made
different, but we are all sinners.<BR>> -- Jim Herron<BR>>
_______________________________________________<BR>> pLog-svn mailing
list<BR>> <A
href="mailto:pLog-svn@devel.lifetype.net">pLog-svn@devel.lifetype.net</A><BR>>
<A href="http://limedaley.com/mailman/listinfo/plog-svn"
target=_blank>http://limedaley.com/mailman/listinfo/plog-svn</A><BR><BR>_______________________________________________<BR>pLog-svn
mailing list<BR><A
href="mailto:pLog-svn@devel.lifetype.net">pLog-svn@devel.lifetype.net</A><BR><A
href="http://limedaley.com/mailman/listinfo/plog-svn"
target=_blank>http://limedaley.com/mailman/listinfo/plog-svn</A><BR></DIV></DIV></BLOCKQUOTE></DIV><BR></BLOCKQUOTE></BODY></HTML>