homepage Welcome to WebmasterWorld Guest from 54.205.254.108
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Pubcon Platinum Sponsor 2014
Home / Forums Index / WebmasterWorld / Webmaster General
Forum Library, Charter, Moderators: phranque & physics

Webmaster General Forum

    
MD5 Password Encryption Algorithm Is No Longer Safe, Says Its Author
engine




msg:4462443
 1:29 pm on Jun 7, 2012 (gmt 0)

MD5 Password Encryption Algorithm Is No Longer Safe, Says Its Author [zdnet.com]
The original author of the MD5 password hash algorithm has publicly declared his software end-of-life and is “no longer considered safe” to use on commercial websites.

Danish developer Poul-Henning Kamp, who developed the widely used MD5 password hash algorithm, said that limitations to his software and a corresponding increase in computing power since its initial release has rendered algorithm obsolete.

“I implore everybody to migrate to a stronger password scrambler without undue delay,”

 

Andy Langton




msg:4462447
 1:42 pm on Jun 7, 2012 (gmt 0)

Great quote from the author there, too:

All major internet sites, anybody with more than 50.000 passwords, should design or configure a unique algorithm (consisting of course of standard one-way hash functions like SHA2 etc) for their site, in order to make development of highly optimized password brute-force technologies a “per-site” exercise for attackers.


I'd say he's right on the money, although this would put some burden back on those sites, of course.

henry0




msg:4462537
 4:25 pm on Jun 7, 2012 (gmt 0)

Check PHP man and scroll down to review a few interesting suggestion on using sha 256.

I am thinking to implement something like that in a few new scripts instead of the usual md5()

[php.net ]

httpwebwitch




msg:4462554
 4:50 pm on Jun 7, 2012 (gmt 0)

Goodbye MD5. You've been a good friend. Thanks for watching my back.

RIP MD5

:(

henry0




msg:4462564
 5:06 pm on Jun 7, 2012 (gmt 0)

Once upon a time... when CAPTCHA was said to be the universal panacea!

incrediBILL




msg:4462606
 6:53 pm on Jun 7, 2012 (gmt 0)

What you really need are secure servers because if the server wasn't being hacked the password could be plain text and it would be just fine as long as it's being transmitted via SSL.

People shouldn't even be in control of creating and managing their own passwords anyway because the majority of people are using medium strength passwords at best, if we're lucky.

henry0




msg:4462631
 8:13 pm on Jun 7, 2012 (gmt 0)

People shouldn't even be in control of creating and managing their own passwords anyway because the majority of people are using medium strength passwords at best, if we're lucky.


With a well defined regex and corresponding "how to enter PW" the new registering user could be somehow "forced" to create a good strong PW.

I am not pro self-generated-PW as the user will not memorize it, thus writing it down! And anyway will, first thing first, change it to "passord101" :)

You are correct people should not be trusted, once I visited a client, go through the accounting dpt, something caught my eyes, it was a sticker on a monitor, I knew what it was, nevertheless asked about it and they candidly said that it was the accounting master PW .....

Leosghost




msg:4462642
 8:35 pm on Jun 7, 2012 (gmt 0)

Bill ..problem is ..we here are all "people" when we are on someone else's site..:)

incrediBILL




msg:4462806
 5:35 am on Jun 8, 2012 (gmt 0)

thus writing it down!

Not nearly as bad as letting a hacker get access.

I'm not concerned with anything left on my desk because nobody is allowed in my office, no touching the desk or anything on it, and all trespassers will be violated.

Using my computer is completely forbidden, penalty of beheading, so someone remembering my password if they ever see it isn't much of a problem ;)

Of course my wife is the only exception, all others should stay clear.

Bill ..problem is ..we here are all "people" when we are on someone else's site


That has nothing to do with learning and using basic memorization skills.

They taught us that stuff in school, at least at my school they did...

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / WebmasterWorld / Webmaster General
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved