Author Topic: What’s the point of hashing passwords over an insecure connection?  (Read 15906 times)

Offline Reverend Greed

  • PLA Guru
  • *****
  • Posts: 224
  • 1337 13V3L: +42/-7
Quote
SMF hashes like so...

sha1($username.$pass)

Just a small tweek:

Either:

$hased = sha1(strtolower($username).$password);

Or

sha1(strtolower('username') . 'password');
Reboot America

Offline breaknick

  • Junior Phone Loser
  • **
  • Posts: 37
  • 1337 13V3L: +2/-39
Quote
SMF hashes like so...

sha1($username.$pass)

Just a small tweek:

Either:

$hased = sha1(strtolower($username).$password);

Or

sha1(strtolower('username') . 'password');


...how dare you.

Offline silentfreak

  • Junior Phone Loser
  • **
  • Posts: 28
  • 1337 13V3L: +1/-7
I read sha1 was much more secure than MD5. This is true but:

http://www.techworld.com/security/news/index.cfm?NewsID=3156

OK, so it's still very, very hard to break but it still leaves us with no really secure and easy hashing system.

Offline Reverend Greed

  • PLA Guru
  • *****
  • Posts: 224
  • 1337 13V3L: +42/-7
I read sha1 was much more secure than MD5. This is true but:

http://www.techworld.com/security/news/index.cfm?NewsID=3156

OK, so it's still very, very hard to break but it still leaves us with no really secure and easy hashing system.

Yes, it is much more secure than MD5 which was broken years ago.

Anyway, this crack ONLY AFFECTS sums, really.  If you have the original data, and the hash, you can make extra data that also makes the match...  in other words, let's say:

abc

Generates the hash:

1234

This attack allows you to find another, say:

dbc

That also generates the same hash.  Why is this point so important?!  You HAVE to know "abc"!  In other words, this only works if you ALREADY KNOW the password.  If you don't know it, there's still no known way to get the password.

That means if you are the only person who knows your password, "abc", then no one can use this against you.

So, it leaves you with a secure hashing system.  And, again, it's more than possible to upgrade later on.
Reboot America

Offline silentfreak

  • Junior Phone Loser
  • **
  • Posts: 28
  • 1337 13V3L: +1/-7
What hashing system hasn't been broken?

Offline Reverend Greed

  • PLA Guru
  • *****
  • Posts: 224
  • 1337 13V3L: +42/-7
The ones that I know from the top of my head are:

1.  Tiger: 192-bit hash.
2.  Whirlpool: 512-bit hash.
3.  AES hash.
Reboot America

Offline silentfreak

  • Junior Phone Loser
  • **
  • Posts: 28
  • 1337 13V3L: +1/-7
Hey rev..

I came across this -

http://www.cnn.com/TECH/science/9809/03/t_t/hacker.subculture/

How did you get your handle on CNN?

Offline Tachyon

  • Minister of Defence
  • OMG Mod
  • Ninja Phone Loser
  • *****
  • Posts: 1875
  • 1337 13V3L: +125/-62
Do you speak two languages?

"Detective Don Gombo: IM AFRAID THE ONLY ONE "F" IS "U" MY FRIEND. WELCOME TO THE CRIMINAL JUSTICE WEB!"

Offline Colonel Panic

  • PLA Corporate Drone
  • *****
  • Posts: 427
  • 1337 13V3L: +29/-40
  • I lost my phone! Guess that makes me a phoneloser!
Couldn't you simply append some kind of a secret session id or a nonce string or something that the server could decode to the password before hashing it, that would make it undecypherable to a hacker?

Offline gangals

  • Merp?
  • PLA Nation Citizen
  • *
  • Posts: 1031
  • 1337 13V3L: +68/-31
  • ummm cacti
    • http://img116.imageshack.us/img116/1879/bagmanonfire4pb.jpg
Couldn't you simply append some kind of a secret session id or a nonce string or something that the server could decode to the password before hashing it, that would make it undecypherable to a hacker?

i.e., a new encryption scheme.

Offline Reverend Greed

  • PLA Guru
  • *****
  • Posts: 224
  • 1337 13V3L: +42/-7
Hey rev..

I came across this -

http://www.cnn.com/TECH/science/9809/03/t_t/hacker.subculture/

How did you get your handle on CNN?

That was 9 years ago when I did an interview for CNN at defcon.  The article you're referencing was a CNN interactive piece dumb-downed from the actual television broadcast.  In the television piece myself and two others demonstrated how easy it was to compromise the hotel's PBX.
Reboot America

Offline Tachyon

  • Minister of Defence
  • OMG Mod
  • Ninja Phone Loser
  • *****
  • Posts: 1875
  • 1337 13V3L: +125/-62
Did you SE it or what?
Do you speak two languages?

"Detective Don Gombo: IM AFRAID THE ONLY ONE "F" IS "U" MY FRIEND. WELCOME TO THE CRIMINAL JUSTICE WEB!"

Offline Reverend Greed

  • PLA Guru
  • *****
  • Posts: 224
  • 1337 13V3L: +42/-7
Did you SE it or what?

Yes, 100% correct.  What we were trying to show was that even though the hotel was hosting a hacker convention - they still gave up the information with little effort.
Reboot America

Offline Tachyon

  • Minister of Defence
  • OMG Mod
  • Ninja Phone Loser
  • *****
  • Posts: 1875
  • 1337 13V3L: +125/-62
SEing is always good for a quick demonstration in my experience.
Do you speak two languages?

"Detective Don Gombo: IM AFRAID THE ONLY ONE "F" IS "U" MY FRIEND. WELCOME TO THE CRIMINAL JUSTICE WEB!"

Offline silentfreak

  • Junior Phone Loser
  • **
  • Posts: 28
  • 1337 13V3L: +1/-7
Reverend:

I'm having some serious slow-downs on the peak hours of my forum. (SMF 1.0.8, PHP 4.4.0, MySQL 4.1.14-standard)
This is a very big forum (80K page views/day, 200+ users online 24/7, and around 900 messages per day) using a dedicated server running on Dual Xeon 2.4GB and 2GB DDR.

it seems like the memory is EXTREMELY HIGH (80-95%).. I guess this is the bottleneck ? the only solution is to get more RAM (I already have 2GB..) ?
I noticed that it doesn't use almost any SWAP (0.153%..).. it's a problem, or maybe the server is simply configured to use all the real memory before going to the swap, and that's why it's 95% (?!$?!) full ?