Comments on: PHP Password Salt and Pepper using sha1 MD5 Hash http://createmy.com.au/php-password-salt-and-pepper-using-sha1-md5-hash/ Create My - eCommerce - Web Development - Web Design - Dale Hurley Wed, 18 Apr 2012 03:23:26 +0000 hourly 1 By: Uhrzeit http://createmy.com.au/php-password-salt-and-pepper-using-sha1-md5-hash/comment-page-1/#comment-48765 Uhrzeit Thu, 01 Dec 2011 14:04:22 +0000 http://createmy.com.au/?p=348#comment-48765 @Nico, i tryed a Bruforce Script with for($i=0;$istore into http://www.tools-blog.de/ therefore i wrote a md5 hash generator i check -> if md5 Hash exissts return false $hit[] = check Response; } but there are no equal hashes thx for this arcticle @Nico,

i tryed a Bruforce Script with
for($i=0;$istore into http://www.tools-blog.de/
therefore i wrote a md5 hash generator
i check -> if md5 Hash exissts return false
$hit[] = check Response;
}

but there are no equal hashes

thx for this arcticle

]]> By: Shelby Melban http://createmy.com.au/php-password-salt-and-pepper-using-sha1-md5-hash/comment-page-1/#comment-29491 Shelby Melban Fri, 24 Jun 2011 15:23:13 +0000 http://createmy.com.au/?p=348#comment-29491 Awesome love it Awesome love it

]]> By: admin http://createmy.com.au/php-password-salt-and-pepper-using-sha1-md5-hash/comment-page-1/#comment-24789 admin Wed, 04 May 2011 03:09:37 +0000 http://createmy.com.au/?p=348#comment-24789 That is a form of reverse engineering. That is a form of reverse engineering.

]]> By: wimvds http://createmy.com.au/php-password-salt-and-pepper-using-sha1-md5-hash/comment-page-1/#comment-23863 wimvds Tue, 19 Apr 2011 12:41:02 +0000 http://createmy.com.au/?p=348#comment-23863 MD5 hasn't been reverse engineered. The site is simply storing the hashes that were generated, and tries to match those (so they're using the "rainbow table" approach). When you try to "decrypt" a key they don't know about yet, you'll get a simple "Sorry, this MD5 hash wasn't found in our database". But when you encrypt that and try it again, it "magically" appears (now how would they do that :p). MD5 hasn’t been reverse engineered. The site is simply storing the hashes that were generated, and tries to match those (so they’re using the “rainbow table” approach). When you try to “decrypt” a key they don’t know about yet, you’ll get a simple “Sorry, this MD5 hash wasn’t found in our database”. But when you encrypt that and try it again, it “magically” appears (now how would they do that :p).

]]> By: Chris Paul » Blog Archive » Oct 19, 2009 sweet links http://createmy.com.au/php-password-salt-and-pepper-using-sha1-md5-hash/comment-page-1/#comment-7198 Chris Paul » Blog Archive » Oct 19, 2009 sweet links Tue, 19 Oct 2010 03:04:15 +0000 http://createmy.com.au/?p=348#comment-7198 [...] PHP Password Salt and Pepper using sha1 MD5 Hash [...] [...] PHP Password Salt and Pepper using sha1 MD5 Hash [...]

]]> By: Nico http://createmy.com.au/php-password-salt-and-pepper-using-sha1-md5-hash/comment-page-1/#comment-6715 Nico Sat, 09 Oct 2010 12:07:57 +0000 http://createmy.com.au/?p=348#comment-6715 What I don't understand about all this salt n pepper... Isn't it always like this, that as soon as the attacker knows my database and my function, encoding it, that it becomes very easy to crack the password? I'm surely not an expert, but just trying to understand such issues better... In the example given, wouldn't it be possible, to do a bruteforce easily as well, if i get hold of the function??? e.g. [PHP] function bruteforce() {creates different possible passwords from either dictonary, or systamatic approach, e.g. return 'HelloKitty';} //then i do: $numberOFtrys=100000000000000; whilte ($i<$numberOFtrys){ $test=bruteforce(); if (saltPlease($test) == $HASHfromYOURdb){ echo $test." is the password"; exit; } } [/PHP] So as far as I understand this issue, salt (and pepper) make a password safer, as long as "just" the database has been accessed by the attacker, but as soon as he gets hold of the function used, as well, it doesnt matter how complex the encoding algorythm is, right? Or am I completly wrong on this, then please correct me! kind regards What I don’t understand about all this salt n pepper… Isn’t it always like this, that as soon as the attacker knows my database and my function, encoding it, that it becomes very easy to crack the password?
I’m surely not an expert, but just trying to understand such issues better…

In the example given, wouldn’t it be possible, to do a bruteforce easily as well, if i get hold of the function???
e.g.
[PHP]
function bruteforce() {creates different possible passwords
from either dictonary, or systamatic approach, e.g.
return ‘HelloKitty’;}

//then i do:
$numberOFtrys=100000000000000;
whilte ($i<$numberOFtrys){
$test=bruteforce();
if (saltPlease($test) == $HASHfromYOURdb){
echo $test." is the password";
exit;
}
}
[/PHP]

So as far as I understand this issue, salt (and pepper) make a password safer, as long as "just" the database has been accessed by the attacker, but as soon as he gets hold of the function used, as well, it doesnt matter how complex the encoding algorythm is, right?

Or am I completly wrong on this, then please correct me!

kind regards

]]> By: austin http://createmy.com.au/php-password-salt-and-pepper-using-sha1-md5-hash/comment-page-1/#comment-3346 austin Tue, 27 Jul 2010 13:17:28 +0000 http://createmy.com.au/?p=348#comment-3346 if your algorithm is known, and the time of registry know (since you have to store this info to compare the pass it could be) then to crack it i just need to do this: $pass=one result of a rainbow table attack $thetime=the result bit i stole from the database telling when they were created $hashedPass=the hashed pass i stole from your datbase if(md5('your'.$pass.$time.'mother')==$hashedPass) { doStuff(); } and i can do the other one too, under the same algorithm (since i know $user->created, i know which one its using) the thing with salts is both the salt AND the algorithm to make them have to be secret or someone can just crack it. yours has the advantage though that the algorithm has 16 permutations (but to be honest it will almost always evaluate to 1, you needed substr(-1,1) to get the last digit...you got the first digit which almost never changes) but if you know the method you can derive the pass. if your algorithm is known, and the time of registry know (since you have to store this info to compare the pass it could be) then to crack it i just need to do this:
$pass=one result of a rainbow table attack
$thetime=the result bit i stole from the database telling when they were created
$hashedPass=the hashed pass i stole from your datbase
if(md5(‘your’.$pass.$time.’mother’)==$hashedPass)
{
doStuff();
}
and i can do the other one too, under the same algorithm (since i know $user->created, i know which one its using)
the thing with salts is both the salt AND the algorithm to make them have to be secret or someone can just crack it.

yours has the advantage though that the algorithm has 16 permutations (but to be honest it will almost always evaluate to 1, you needed substr(-1,1) to get the last digit…you got the first digit which almost never changes) but if you know the method you can derive the pass.

]]> By: LimeSpace – IT » Der Wochenr?ckblick: Grafiken, PHP Kennw?rter mit Salt, JQuery + Formulare. http://createmy.com.au/php-password-salt-and-pepper-using-sha1-md5-hash/comment-page-1/#comment-121 LimeSpace – IT » Der Wochenr?ckblick: Grafiken, PHP Kennw?rter mit Salt, JQuery + Formulare. Sat, 24 Oct 2009 10:59:58 +0000 http://createmy.com.au/?p=348#comment-121 [...] Starten wir mit dem Thema Sicherheit und PHP, immer wieder bekommt man es in den Medien mit, Datenbanken mit Passw?rtern werden gestohlen. Um nun mindestens mal die Kennw?rter sicher(er) abzulegen empfiehlt es sich einen sogenannten “SALT” zu verwenden. Eine relativ sch?ne Methode findet ihr hier “PHP Password Salt & Pepper“. [...] [...] Starten wir mit dem Thema Sicherheit und PHP, immer wieder bekommt man es in den Medien mit, Datenbanken mit Passw?rtern werden gestohlen. Um nun mindestens mal die Kennw?rter sicher(er) abzulegen empfiehlt es sich einen sogenannten “SALT” zu verwenden. Eine relativ sch?ne Methode findet ihr hier “PHP Password Salt & Pepper“. [...]

]]> By: Frank http://createmy.com.au/php-password-salt-and-pepper-using-sha1-md5-hash/comment-page-1/#comment-106 Frank Mon, 19 Oct 2009 08:04:09 +0000 http://createmy.com.au/?p=348#comment-106 Why would u take so much effort ? $pass = escape_etc ( $_POSt['passowrd''] ); $user = new User; $user->create = time(); $user->email = 'mail@mail.com'; switch( substr( $user->created,0,1 ) ) { case 1: $user->pass = md5('your' , $pass . $user->created . 'mother'); break; case 2: $user->pass = md5($pass . substr( $user->created, 0, 5) . 'smells'); break; case ... } $user->save(); Why would u take so much effort ?

$pass = escape_etc ( $_POSt['passowrd''] );

$user = new User;
$user->create = time();
$user->email = ‘mail@mail.com’;
switch( substr( $user->created,0,1 ) ) {
case 1:
$user->pass = md5(‘your’ , $pass . $user->created . ‘mother’);
break;
case 2:
$user->pass = md5($pass . substr( $user->created, 0, 5) . ‘smells’);
break;
case …
}
$user->save();

]]> By: Rob http://createmy.com.au/php-password-salt-and-pepper-using-sha1-md5-hash/comment-page-1/#comment-100 Rob Sat, 17 Oct 2009 12:37:39 +0000 http://createmy.com.au/?p=348#comment-100 Incredibly, you managed to come up with something worse than <a href="http://en.wikipedia.org/wiki/Crypt_%28Unix%29" rel="nofollow">unix crypt()</a> <a href="http://chargen.matasano.com/chargen/2007/9/7/enough-with-the-rainbow-tables-what-you-need-to-know-about-s.html" rel="nofollow">in 1976</a>. Incredibly, you managed to come up with something worse than unix crypt() in 1976.

]]>