What’s the point of hashing passwords over an insecure connection?

[Reverend Greed]

SMF hashes like so...

sha1($username.$pass)

Just a small tweek:

Either:

$hased = sha1(strtolower($username).$password);

Or

sha1(strtolower('username') . 'password');

[breaknick]

SMF hashes like so...

sha1($username.$pass)

Just a small tweek:

Either:

$hased = sha1(strtolower($username).$password);

Or

sha1(strtolower('username') . 'password');

...how dare you.

[silentfreak]

I read sha1 was much more secure than MD5. This is true but:

http://www.techworld.com/security/news/index.cfm?NewsID=3156

OK, so it's still very, very hard to break but it still leaves us with no really secure and easy hashing system.

[Reverend Greed]

I read sha1 was much more secure than MD5. This is true but:

http://www.techworld.com/security/news/index.cfm?NewsID=3156

OK, so it's still very, very hard to break but it still leaves us with no really secure and easy hashing system.

Yes, it is much more secure than MD5 which was broken years ago.

Anyway, this crack ONLY AFFECTS sums, really.  If you have the original data, and the hash, you can make extra data that also makes the match...  in other words, let's say:

abc

Generates the hash:

1234

This attack allows you to find another, say:

dbc

That also generates the same hash.  Why is this point so important?!  You HAVE to know "abc"!  In other words, this only works if you ALREADY KNOW the password.  If you don't know it, there's still no known way to get the password.

That means if you are the only person who knows your password, "abc", then no one can use this against you.

So, it leaves you with a secure hashing system.  And, again, it's more than possible to upgrade later on.

[silentfreak]

What hashing system hasn't been broken?

[Reverend Greed]

The ones that I know from the top of my head are:

1.  Tiger: 192-bit hash.
2.  Whirlpool: 512-bit hash.
3.  AES hash.

[silentfreak]

Hey rev..

I came across this -

http://www.cnn.com/TECH/science/9809/03/t_t/hacker.subculture/

How did you get your handle on CNN?

[Tachyon]

Pfff, muggles.

[Colonel Panic]

Couldn't you simply append some kind of a secret session id or a nonce string or something that the server could decode to the password before hashing it, that would make it undecypherable to a hacker?

[gangals]

Couldn't you simply append some kind of a secret session id or a nonce string or something that the server could decode to the password before hashing it, that would make it undecypherable to a hacker?

i.e., a new encryption scheme.

[Reverend Greed]

Hey rev..

I came across this -

http://www.cnn.com/TECH/science/9809/03/t_t/hacker.subculture/

How did you get your handle on CNN?

That was 9 years ago when I did an interview for CNN at defcon.  The article you're referencing was a CNN interactive piece dumb-downed from the actual television broadcast.  In the television piece myself and two others demonstrated how easy it was to compromise the hotel's PBX.

[Tachyon]

Did you SE it or what?

[Reverend Greed]

Did you SE it or what?

Yes, 100% correct.  What we were trying to show was that even though the hotel was hosting a hacker convention - they still gave up the information with little effort.

[Tachyon]

SEing is always good for a quick demonstration in my experience.

[silentfreak]

Reverend:

I'm having some serious slow-downs on the peak hours of my forum. (SMF 1.0.8, PHP 4.4.0, MySQL 4.1.14-standard)
This is a very big forum (80K page views/day, 200+ users online 24/7, and around 900 messages per day) using a dedicated server running on Dual Xeon 2.4GB and 2GB DDR.

it seems like the memory is EXTREMELY HIGH (80-95%).. I guess this is the bottleneck ? the only solution is to get more RAM (I already have 2GB..) ?
I noticed that it doesn't use almost any SWAP (0.153%..).. it's a problem, or maybe the server is simply configured to use all the real memory before going to the swap, and that's why it's 95% (?!$?!) full ?