Jump to content
  • 0

MD5 password

Feefty

Asked by Feefty,

 Share

Question

23 answers to this question

Recommended Posts

michaelsoftman Poring

michaelsoftman

Posted
Posted (edited)

If MD5 is easy to crack, tell me what this password is.

d16725300976db1641d4663d9c13a9e2

But in all seriousness, you should hash your passwords. There's no reason not to, and it keeps amateurs from messing with your server.

Edited by michaelsoftman
Feefty Poring

Feefty

Posted
  • Author
Posted (edited)

If MD5 is easy to crack, tell me what this password is.

d16725300976db1641d4663d9c13a9e2

But in all seriousness, you should hash your passwords. There's no reason not to, and it keeps amateurs from messing with your server.

i hate you too.

i guess so yeah.

but is it possible to use different hash?

Edited by Feefty
Dastgir Poring

Dastgir

Posted
Posted

If MD5 is easy to crack, tell me what this password is.

d16725300976db1641d4663d9c13a9e2

But in all seriousness, you should hash your passwords. There's no reason not to, and it keeps amateurs from messing with your server.

If MD5 is easy to crack, tell me what this password is.

d16725300976db1641d4663d9c13a9e2

But in all seriousness, you should hash your passwords. There's no reason not to, and it keeps amateurs from messing with your server.

i hate you too.

i guess so yeah.

but is it possible to use different hash?

Its "I hate you."

not "i hate you too."

Feefty Poring

Feefty

Posted
  • Author
Posted (edited)

If MD5 is easy to crack, tell me what this password is.

d16725300976db1641d4663d9c13a9e2

But in all seriousness, you should hash your passwords. There's no reason not to, and it keeps amateurs from messing with your server.

If MD5 is easy to crack, tell me what this password is.

d16725300976db1641d4663d9c13a9e2

But in all seriousness, you should hash your passwords. There's no reason not to, and it keeps amateurs from messing with your server.

i hate you too.

i guess so yeah.

but is it possible to use different hash?

Its "I hate you."

not "i hate you too."

lol. i know, im just saying i hate him too.

Edited by Feefty
michaelsoftman Poring

michaelsoftman

Posted
Posted

Haha, I feel the love in this thread. <3

Seriously though. Hashing it can keep some people from doing anything if they somehow gain access to your login DB. But then again, if you just focus DB security instead, that would be the better option. There's no real reason not to MD5 them though.

Mystery Poring

Mystery

Posted
Posted

Guys, keep on track with the topic... few replies without even constructive feedback.

As for good security, as mentioned above, MD5 isn't always the best.. yes, it's good when it comes to people who can't crack it, but people who can crack can obviously get around it. Another way is to make sure you do not use easy guessed passwords for your different databases etc. Getting hashed passwords is also beneficial. You as an owner will always want to take necessary precautions to protect your server (well, you should).

Lighta Poring

Lighta

Posted
Posted

well md5 is easy to crack when you use real world as password since it's already in dictionary but just try with some number in it and it'll get way more complicate like :

6ffe7c349a183a182671f828d786d137

Mystery Poring

Mystery

Posted
Posted

well md5 is easy to crack when you use real world as password since it's already in dictionary but just try with some number in it and it'll get way more complicate like :

6ffe7c349a183a182671f828d786d137

Ahh. I've personally never used MD5 in my servers so I haven't really experienced it working all I knew that it added a tad more security.

Dastgir Poring

Dastgir

Posted
Posted

well md5 is easy to crack when you use real world as password since it's already in dictionary but just try with some number in it and it'll get way more complicate like :

6ffe7c349a183a182671f828d786d137

+1

If there's much complicated password in md5, its very less percent chance to crack it down,

BUT,

Often Players use easy passwords.

No Player would input hard/long passwords for logging in server everyday.

Mystery Poring

Mystery

Posted
Posted

well md5 is easy to crack when you use real world as password since it's already in dictionary but just try with some number in it and it'll get way more complicate like :

6ffe7c349a183a182671f828d786d137

+1

If there's much complicated password in md5, its very less percent chance to crack it down,

BUT,

Often Players use easy passwords.

No Player would input hard/long passwords for logging in server everyday.

Well then, wouldn't that be their fault then? :P If they get hacked, it'd be their fault but then complain to the Admin :P

Dastgir Poring

Dastgir

Posted
Posted

well md5 is easy to crack when you use real world as password since it's already in dictionary but just try with some number in it and it'll get way more complicate like :

6ffe7c349a183a182671f828d786d137

+1

If there's much complicated password in md5, its very less percent chance to crack it down,

BUT,

Often Players use easy passwords.

No Player would input hard/long passwords for logging in server everyday.

Well then, wouldn't that be their fault then? :P If they get hacked, it'd be their fault but then complain to the Admin :P

But they don't understand its their own fault.

But As I Think,

Its admin fault also for low security of the databases.

Keep very hard passwords for vps and sql, and ddos protected, and then its no chance to get hacked.

Lighta Poring

Lighta

Posted
Posted

You could change your registration form to require some number in it or thing like that, (that what they usually do, you're pass is too weak, you're pass require 3 number etc...)

Otherwise you could always rehash pass by a configured sel. I think I'll do a diff for that.

This will probably lower encryption as I didn't study the redundancy etc but if you looking at it I doubt you'll have someone who really gonna writte something to crack your encryption, most of time it's script kiddy that use md5 decrypt site to found pass.

And as I said those site work with dictionary, they have a hash of md5 keys corresponding to with pass and there you go, so if you're pass it's not common have weird letter in it etc it's probably not referenced yet.

KeyWorld Poring

KeyWorld

Posted
Posted
Otherwise you could always rehash pass by a configured sel.

Agree, it's the easer way to ""secure"" all passwords without changing/adding a lot of code, this is what I used in the past.

Lighta Poring

Lighta

Posted
Posted

Here try this for a quick salt, not exactly what I was using but should be easier like that, ofc you can make it harder if you wish :

http://upaste.me/04d51583d10fd52c

Don't forget to change the passphrase otherwise won't be that usefull.

Also you'll need to change new account creation insert in db for :

"insert into login(user_pass) values( md5(concat(inputpasswd,mypasskey)) ); "

yes that an incomplete sql query for registration but it's just to show password change in registration.

To update you db it'll be

update login set user_pass= md5(concat(user_pass,mypasskey); //well this assume you didn't had md5 enable yet

and ofc after this you'll need to enable md5. if you already had it enable I'm afraid I don't have a generic solution unless you may try to decrypt all md5 first but I'd not recommend it, better to ask user to renew their pass

  • Upvote 1
Feefty Poring

Feefty

Posted
  • Author
Posted

Here try this for a quick salt, not exactly what I was using but should be easier like that, ofc you can make it harder if you wish :

http://upaste.me/04d51583d10fd52c

Don't forget to change the passphrase otherwise won't be that usefull.

Also you'll need to change new account creation insert in db for :

"insert into login(user_pass) values( md5(concat(inputpasswd,mypasskey)) ); "

yes that an incomplete sql query for registration but it's just to show password change in registration.

To update you db it'll be

update login set user_pass= md5(concat(user_pass,mypasskey); //well this assume you didn't had md5 enable yet

and ofc after this you'll need to enable md5. if you already had it enable I'm afraid I don't have a generic solution unless you may try to decrypt all md5 first but I'd not recommend it, better to ask user to renew their pass

thanks, ill try this.

malufett Poring

malufett

Posted
Posted
Here try this for a quick salt, not exactly what I was using but should be easier like that, ofc you can make it harder if you wish :

http://upaste.me/04d51583d10fd52c

Don't forget to change the passphrase otherwise won't be that usefull.

Also you'll need to change new account creation insert in db for :

"insert into login(user_pass) values( md5(concat(inputpasswd,mypasskey)) ); "

yes that an incomplete sql query for registration but it's just to show password change in registration.

To update you db it'll be

update login set user_pass= md5(concat(user_pass,mypasskey); //well this assume you didn't had md5 enable yet

and ofc after this you'll need to enable md5. if you already had it enable I'm afraid I don't have a generic solution unless you may try to decrypt all md5 first but I'd not recommend it, better to ask user to renew their pass

this is not effective since the additional security encryption is done in server side and not in the client side..

traditional way :

client(hashed) --[pass:test]-->server-->[check db]-->(success/fail)

I'm hacker I get this †

(boom I know your pass)

+salt

client(hashed) --[pass:test]-->server-->[check db+salt]-->(success/fail)

I'm hacker I get this †

(boom I also know your pass)

anyway this is useful if the attacker/hacker is in the server side..:)

:meow:

KeyWorld Poring

KeyWorld

Posted
Posted
this is not effective since the additional security encryption is done in server side and not in the client side..

traditional way :

client(hashed) --[pass:test]-->server-->[check db]-->(success/fail)

I'm hacker I get this †

(boom I know your pass)

+salt

client(hashed) --[pass:test]-->server-->[check db+salt]-->(success/fail)

I'm hacker I get this †

(boom I also know your pass)

anyway this is useful if the attacker/hacker is in the server side..:)

:meow:

I don't get it.

A hash is a hash, you can't reverse it you have to brute force all possibles combinations to have it.

Even if the hacker know the key, if it's a complicate key you will not be able to reverse the hash without testing all possibilities.

And yeah it's useful only if the attacker/hacker own an access to the server (even if in this case, there are other ways to get passwords).

malufett Poring

malufett

Posted
Posted
I don't get it.

A hash is a hash, you can't reverse it you have to brute force all possibles combinations to have it.

hahaha..I mean if the password used is in the dictionary cause I'm basing my example on the password given at later post..and I also stated there "pass:test"

:meow:

Akinari Poring

Akinari

Posted
Posted

Well there are the <passwordencrypt> and <passwordencrypt2> clientinfo functions which I haven't delved extremely deep into but I see that they are supported (at least there are checks) on the server side. I believe that is what malufett was referring to in the previous post was that the client generally sends password plaintext. Sending a password plaintext is not a good thing.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Answer this question...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to question listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...