PHP Developers Network

A community of PHP developers offering assistance, advice, discussion, and friendship.
 
Loading
It is currently Sun Nov 23, 2014 12:03 pm

All times are UTC - 5 hours




Post new topic Reply to topic  [ 10 posts ] 
Author Message
PostPosted: Thu Jun 07, 2012 11:31 am 
Offline
Forum Regular
User avatar

Joined: Tue Sep 28, 2010 11:41 am
Posts: 963
Location: Columbus, Ohio
While is has been preached here for a while that MD5 is not a good choice to use for password hashing, it was definitely confirmed:

http://phk.freebsd.dk/sagas/md5crypt_eol.html
Quote:
As the author of md5crypt, I implore everybody to migrate to a stronger password scrambler without undue delay.


More info: http://www.zdnet.com/blog/security/md5- ... safe/12317 including:

Quote:
The primary cause [of the decrypting of some of the 6.4 million passwords leaked] is LinkedIn’s failure to properly ’salt’ the hashed passwords using SHA-1 algorithm.


Saw an article this morning that eharmony was also compromised, however didn't catch if they are also being easily decrypted.

-Greg


Top
 Profile  
 
PostPosted: Thu Jun 07, 2012 11:45 am 
Offline
Moderator
User avatar

Joined: Tue Nov 09, 2010 3:39 pm
Posts: 3769
Location: Montreal, Canada
This simply cannot be mentioned often enough. Thanks for posting this.

_________________
Stay on top of upgrades.
Supported PHP versions
No longer supported versions


Top
 Profile  
 
PostPosted: Thu Jun 07, 2012 2:49 pm 
Offline
Forum Regular
User avatar

Joined: Tue Sep 28, 2010 11:41 am
Posts: 963
Location: Columbus, Ohio
Add another one to the list.... last.fm
http://www.theverge.com/2012/6/7/307063 ... sword-leak


Top
 Profile  
 
PostPosted: Thu Jun 07, 2012 2:52 pm 
Offline
Forum Regular
User avatar

Joined: Tue Sep 28, 2010 11:41 am
Posts: 963
Location: Columbus, Ohio
I declare it "(Inter)National Change Your Password Day" LOL


Top
 Profile  
 
PostPosted: Thu Jun 07, 2012 9:05 pm 
Offline
Spammer :|
User avatar

Joined: Wed Oct 15, 2008 2:35 am
Posts: 5647
Location: WA, USA
As others have mentioned elsewhere, the whole "scrambler" thing bothers me.

Meanwhile SHA-1 is getting towards the end of its lifetime too. Current recommendations are at least SHA-256.


Top
 Profile  
 
PostPosted: Thu Jun 14, 2012 9:30 am 
Offline
Forum Regular
User avatar

Joined: Mon Feb 11, 2008 5:22 am
Posts: 611
requinix wrote:
Current recommendations are at least SHA-256.


Or indeed to move away from such rapidly executing hash functions altogether.


Top
 Profile  
 
PostPosted: Sat Jun 16, 2012 7:10 am 
Offline
Forum Regular
User avatar

Joined: Tue Sep 28, 2010 11:41 am
Posts: 963
Location: Columbus, Ohio
greyhoundcode wrote:
Or indeed to move away from such rapidly executing hash functions altogether.
So then what do you suggest?


Top
 Profile  
 
PostPosted: Sat Jun 16, 2012 10:36 am 
Offline
Moderator
User avatar

Joined: Tue Nov 09, 2010 3:39 pm
Posts: 3769
Location: Montreal, Canada
bcrypt with a high work factor.

_________________
Stay on top of upgrades.
Supported PHP versions
No longer supported versions


Top
 Profile  
 
PostPosted: Sat Jun 16, 2012 1:35 pm 
Offline
Forum Contributor

Joined: Sat Nov 19, 2011 10:32 am
Posts: 194
Time to get back and closely read:

LOGIN & REGISTRATION Script Tutorial at viewtopic.php?f=28&t=135287


Top
 Profile  
 
PostPosted: Fri Jul 13, 2012 12:40 am 
Offline
Spammer :|
User avatar

Joined: Wed Oct 15, 2008 2:35 am
Posts: 5647
Location: WA, USA
carrington01 wrote:
I thought MD5 secured and safe. Is it true that it is considered no longer safe??

Yes. And stop spamming.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 10 posts ] 

All times are UTC - 5 hours


Who is online

Users browsing this forum: No registered users and 4 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group