MD5 password

[Feefty]

should i use the md5 password or just stick to plain one?

because i think md5 is easy to crack and it doesn't matter if i hash my password.

[michaelsoftman]

If MD5 is easy to crack, tell me what this password is.

d16725300976db1641d4663d9c13a9e2

But in all seriousness, you should hash your passwords. There's no reason not to, and it keeps amateurs from messing with your server.

Edited November 14, 2012 by michaelsoftman

[Feefty]

If MD5 is easy to crack, tell me what this password is.

d16725300976db1641d4663d9c13a9e2

But in all seriousness, you should hash your passwords. There's no reason not to, and it keeps amateurs from messing with your server.

i hate you too.

i guess so yeah.

but is it possible to use different hash?

Edited November 14, 2012 by Feefty

[Dastgir]

If MD5 is easy to crack, tell me what this password is.

d16725300976db1641d4663d9c13a9e2

But in all seriousness, you should hash your passwords. There's no reason not to, and it keeps amateurs from messing with your server.

If MD5 is easy to crack, tell me what this password is.

d16725300976db1641d4663d9c13a9e2

But in all seriousness, you should hash your passwords. There's no reason not to, and it keeps amateurs from messing with your server.

i hate you too.

i guess so yeah.

but is it possible to use different hash?

Its "I hate you."

not "i hate you too."

[nanakiwurtz]

If MD5 is easy to crack, tell me what this password is.

I hate you.

[Feefty]

If MD5 is easy to crack, tell me what this password is.

d16725300976db1641d4663d9c13a9e2

But in all seriousness, you should hash your passwords. There's no reason not to, and it keeps amateurs from messing with your server.

If MD5 is easy to crack, tell me what this password is.

d16725300976db1641d4663d9c13a9e2

But in all seriousness, you should hash your passwords. There's no reason not to, and it keeps amateurs from messing with your server.

i hate you too.

i guess so yeah.

but is it possible to use different hash?

Its "I hate you."

not "i hate you too."

lol. i know, im just saying i hate him too.

Edited November 14, 2012 by Feefty

[michaelsoftman]

Haha, I feel the love in this thread. <3

Seriously though. Hashing it can keep some people from doing anything if they somehow gain access to your login DB. But then again, if you just focus DB security instead, that would be the better option. There's no real reason not to MD5 them though.

[Mystery]

Guys, keep on track with the topic... few replies without even constructive feedback.

As for good security, as mentioned above, MD5 isn't always the best.. yes, it's good when it comes to people who can't crack it, but people who can crack can obviously get around it. Another way is to make sure you do not use easy guessed passwords for your different databases etc. Getting hashed passwords is also beneficial. You as an owner will always want to take necessary precautions to protect your server (well, you should).

[Lighta]

well md5 is easy to crack when you use real world as password since it's already in dictionary but just try with some number in it and it'll get way more complicate like :

6ffe7c349a183a182671f828d786d137

[Mystery]

well md5 is easy to crack when you use real world as password since it's already in dictionary but just try with some number in it and it'll get way more complicate like :

6ffe7c349a183a182671f828d786d137

Ahh. I've personally never used MD5 in my servers so I haven't really experienced it working all I knew that it added a tad more security.

[Dastgir]

well md5 is easy to crack when you use real world as password since it's already in dictionary but just try with some number in it and it'll get way more complicate like :

6ffe7c349a183a182671f828d786d137

+1

If there's much complicated password in md5, its very less percent chance to crack it down,

BUT,

Often Players use easy passwords.

No Player would input hard/long passwords for logging in server everyday.

[Mystery]

well md5 is easy to crack when you use real world as password since it's already in dictionary but just try with some number in it and it'll get way more complicate like :

6ffe7c349a183a182671f828d786d137

+1

If there's much complicated password in md5, its very less percent chance to crack it down,

BUT,

Often Players use easy passwords.

No Player would input hard/long passwords for logging in server everyday.

Well then, wouldn't that be their fault then? If they get hacked, it'd be their fault but then complain to the Admin

[Dastgir]

well md5 is easy to crack when you use real world as password since it's already in dictionary but just try with some number in it and it'll get way more complicate like :

6ffe7c349a183a182671f828d786d137

+1

If there's much complicated password in md5, its very less percent chance to crack it down,

BUT,

Often Players use easy passwords.

No Player would input hard/long passwords for logging in server everyday.

Well then, wouldn't that be their fault then? If they get hacked, it'd be their fault but then complain to the Admin

But they don't understand its their own fault.

But As I Think,

Its admin fault also for low security of the databases.

Keep very hard passwords for vps and sql, and ddos protected, and then its no chance to get hacked.

[phebs]

yes just convert the default has to other has since its on the db, so i think yes

[Lighta]

You could change your registration form to require some number in it or thing like that, (that what they usually do, you're pass is too weak, you're pass require 3 number etc...)

Otherwise you could always rehash pass by a configured sel. I think I'll do a diff for that.

This will probably lower encryption as I didn't study the redundancy etc but if you looking at it I doubt you'll have someone who really gonna writte something to crack your encryption, most of time it's script kiddy that use md5 decrypt site to found pass.

And as I said those site work with dictionary, they have a hash of md5 keys corresponding to with pass and there you go, so if you're pass it's not common have weird letter in it etc it's probably not referenced yet.

[KeyWorld]

Otherwise you could always rehash pass by a configured sel.

Agree, it's the easer way to ""secure"" all passwords without changing/adding a lot of code, this is what I used in the past.

[nanakiwurtz]

Add more salt please

[Lighta]

Here try this for a quick salt, not exactly what I was using but should be easier like that, ofc you can make it harder if you wish :

http://upaste.me/04d51583d10fd52c

Don't forget to change the passphrase otherwise won't be that usefull.

Also you'll need to change new account creation insert in db for :

"insert into login(user_pass) values( md5(concat(inputpasswd,mypasskey)) ); "

yes that an incomplete sql query for registration but it's just to show password change in registration.

To update you db it'll be

update login set user_pass= md5(concat(user_pass,mypasskey); //well this assume you didn't had md5 enable yet

and ofc after this you'll need to enable md5. if you already had it enable I'm afraid I don't have a generic solution unless you may try to decrypt all md5 first but I'd not recommend it, better to ask user to renew their pass

[Feefty]

Here try this for a quick salt, not exactly what I was using but should be easier like that, ofc you can make it harder if you wish :

http://upaste.me/04d51583d10fd52c

Don't forget to change the passphrase otherwise won't be that usefull.

Also you'll need to change new account creation insert in db for :

"insert into login(user_pass) values( md5(concat(inputpasswd,mypasskey)) ); "

yes that an incomplete sql query for registration but it's just to show password change in registration.

To update you db it'll be

update login set user_pass= md5(concat(user_pass,mypasskey); //well this assume you didn't had md5 enable yet

and ofc after this you'll need to enable md5. if you already had it enable I'm afraid I don't have a generic solution unless you may try to decrypt all md5 first but I'd not recommend it, better to ask user to renew their pass

thanks, ill try this.

[malufett]

Here try this for a quick salt, not exactly what I was using but should be easier like that, ofc you can make it harder if you wish :

http://upaste.me/04d51583d10fd52c

Don't forget to change the passphrase otherwise won't be that usefull.

Also you'll need to change new account creation insert in db for :

"insert into login(user_pass) values( md5(concat(inputpasswd,mypasskey)) ); "

yes that an incomplete sql query for registration but it's just to show password change in registration.

To update you db it'll be

update login set user_pass= md5(concat(user_pass,mypasskey); //well this assume you didn't had md5 enable yet

and ofc after this you'll need to enable md5. if you already had it enable I'm afraid I don't have a generic solution unless you may try to decrypt all md5 first but I'd not recommend it, better to ask user to renew their pass

this is not effective since the additional security encryption is done in server side and not in the client side..

traditional way :

client(hashed) --[pass:test]-->server-->[check db]-->(success/fail)

I'm hacker I get this †

(boom I know your pass)

+salt

client(hashed) --[pass:test]-->server-->[check db+salt]-->(success/fail)

I'm hacker I get this †

(boom I also know your pass)

anyway this is useful if the attacker/hacker is in the server side..

[KeyWorld]

this is not effective since the additional security encryption is done in server side and not in the client side..

traditional way :

client(hashed) --[pass:test]-->server-->[check db]-->(success/fail)

I'm hacker I get this †

(boom I know your pass)

+salt

client(hashed) --[pass:test]-->server-->[check db+salt]-->(success/fail)

I'm hacker I get this †

(boom I also know your pass)

anyway this is useful if the attacker/hacker is in the server side..

I don't get it.

A hash is a hash, you can't reverse it you have to brute force all possibles combinations to have it.

Even if the hacker know the key, if it's a complicate key you will not be able to reverse the hash without testing all possibilities.

And yeah it's useful only if the attacker/hacker own an access to the server (even if in this case, there are other ways to get passwords).

[malufett]

I don't get it.

A hash is a hash, you can't reverse it you have to brute force all possibles combinations to have it.

hahaha..I mean if the password used is in the dictionary cause I'm basing my example on the password given at later post..and I also stated there "pass:test"

[KeyWorld]

Ok I now understand the "pass:test" thing lol, of course the secret key have to be strong

[Akinari]

Well there are the <passwordencrypt> and <passwordencrypt2> clientinfo functions which I haven't delved extremely deep into but I see that they are supported (at least there are checks) on the server side. I believe that is what malufett was referring to in the previous post was that the client generally sends password plaintext. Sending a password plaintext is not a good thing.