...Those lost government CDs didn't use md5s
A Cambridge University researcher successfully used Google to unearth a password used by an attacker to compromise its security blog. The attacker created an account in Wordpress when he attacked the Light the Blue Touch Paper blog, the online journal of the Computer Laboratory at Cambridge University. Wordpress stores …
When will software developers realise that a simple MD5 on a password is insecure and pointless? Anyone can obtain a database of MD5 results to quickly get a working password to an application, which in turn might lead to the same username and password being used on other sites.
Wordpress, phpBB and various other applications stick with a pointless hash without a salt. Surely the developers should've realised this by now?
"Im not sure how you would obtain the md5 hashes for a specific wordpress/phpbb install unless there is a bigger security problem on that server, or you are the admin"
FFS, Did you READ the story?? Here's the first bloody line:
"A Cambridge University researcher successfully used Google to unearth a password used by an attacker to compromise its security blog."
So yes, he's the bloody admin!
"I've even written code which does the same. When I needed to store a file, indexed by a key, a simple option is to make the filename the key's MD5 hash."
You'd have to be pretty retarded to ever use the password as the key you store info by though, let alone storing it in a web accessible way. After all, google can only index that which appears openly on the web.
To combine those two fatal flaws with the storage of plain text passwords even though you have a matching hash should be enough to get you marked as a danger to all mankind.
If you must use a key as a filename, it should be either a unique username or ID (which, for the benefit of Steven Murdoch, are 100% resistant to accidental collisions). Password hashes definately taste better with salt. There is no excuse for ever storing plain text passwords, anywhere.
As for wordpress, phpBB, VB and other big name web software, I'm always of the opinion that if it's worth doing then it's worth doing yourself. They've all proven repeatedly that they know bugger all about security, and their code should never be trusted without some serious modifications.
Why would anyone use MD5 for anything in this day and age? Its akin to building a Quad Core modern computer with four Gig of RAM and then using a 170KB floppy disk drive from a Commodore for storage.
SHA512 generates 88 bytes which can be padded using your salt key and then stored using token-stripped Base64 for portability and size. Most all modern technologies can support it.
In my web applications, I use a 'custom' hashing method which combines a user salt, a server salt, hashing the password forwards, backwards, you name it, combining these all together and hashing again.
To be even more protected against accidental collisions, you can implement 2 different hashing algorithms (different server salts, using SHA instead of MD5, or both, etc), store both results and check against both of them.
Paranoid? Maybe... but I find it ridiculous that people are just using a simple md5 hash of the password and thinking that is secure!
Biting the hand that feeds IT © 1998–2022