Welcome to WebmasterWorld Guest from 54.197.75.176

Forum Moderators: phranque

Message Too Old, No Replies

MD5 Password Encryption Algorithm Is No Longer Safe, Says Its Author

     
1:29 pm on Jun 7, 2012 (gmt 0)

Administrator from GB 

WebmasterWorld Administrator engine is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month Best Post Of The Month

joined:May 9, 2000
posts:23500
votes: 409


MD5 Password Encryption Algorithm Is No Longer Safe, Says Its Author [zdnet.com]
The original author of the MD5 password hash algorithm has publicly declared his software end-of-life and is “no longer considered safe” to use on commercial websites.

Danish developer Poul-Henning Kamp, who developed the widely used MD5 password hash algorithm, said that limitations to his software and a corresponding increase in computing power since its initial release has rendered algorithm obsolete.

“I implore everybody to migrate to a stronger password scrambler without undue delay,”
1:42 pm on June 7, 2012 (gmt 0)

Moderator from GB 

WebmasterWorld Administrator andy_langton is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Jan 27, 2003
posts:3332
votes: 140


Great quote from the author there, too:

All major internet sites, anybody with more than 50.000 passwords, should design or configure a unique algorithm (consisting of course of standard one-way hash functions like SHA2 etc) for their site, in order to make development of highly optimized password brute-force technologies a “per-site” exercise for attackers.


I'd say he's right on the money, although this would put some burden back on those sites, of course.
4:25 pm on June 7, 2012 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member henry0 is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Apr 19, 2003
posts: 4398
votes: 2


Check PHP man and scroll down to review a few interesting suggestion on using sha 256.

I am thinking to implement something like that in a few new scripts instead of the usual md5()

[php.net ]
4:50 pm on June 7, 2012 (gmt 0)

Moderator from CA 

WebmasterWorld Administrator httpwebwitch is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Aug 29, 2003
posts:4059
votes: 0


Goodbye MD5. You've been a good friend. Thanks for watching my back.

RIP MD5

:(
5:06 pm on June 7, 2012 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member henry0 is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Apr 19, 2003
posts: 4398
votes: 2


Once upon a time... when CAPTCHA was said to be the universal panacea!
6:53 pm on June 7, 2012 (gmt 0)

Administrator from US 

WebmasterWorld Administrator incredibill is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Jan 25, 2005
posts:14650
votes: 94


What you really need are secure servers because if the server wasn't being hacked the password could be plain text and it would be just fine as long as it's being transmitted via SSL.

People shouldn't even be in control of creating and managing their own passwords anyway because the majority of people are using medium strength passwords at best, if we're lucky.
8:13 pm on June 7, 2012 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member henry0 is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Apr 19, 2003
posts: 4398
votes: 2


People shouldn't even be in control of creating and managing their own passwords anyway because the majority of people are using medium strength passwords at best, if we're lucky.


With a well defined regex and corresponding "how to enter PW" the new registering user could be somehow "forced" to create a good strong PW.

I am not pro self-generated-PW as the user will not memorize it, thus writing it down! And anyway will, first thing first, change it to "passord101" :)

You are correct people should not be trusted, once I visited a client, go through the accounting dpt, something caught my eyes, it was a sticker on a monitor, I knew what it was, nevertheless asked about it and they candidly said that it was the accounting master PW .....
8:35 pm on June 7, 2012 (gmt 0)

Senior Member from FR 

WebmasterWorld Senior Member leosghost is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Feb 15, 2004
posts:6717
votes: 230


Bill ..problem is ..we here are all "people" when we are on someone else's site..:)
5:35 am on June 8, 2012 (gmt 0)

Administrator from US 

WebmasterWorld Administrator incredibill is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Jan 25, 2005
posts:14650
votes: 94


thus writing it down!

Not nearly as bad as letting a hacker get access.

I'm not concerned with anything left on my desk because nobody is allowed in my office, no touching the desk or anything on it, and all trespassers will be violated.

Using my computer is completely forbidden, penalty of beheading, so someone remembering my password if they ever see it isn't much of a problem ;)

Of course my wife is the only exception, all others should stay clear.

Bill ..problem is ..we here are all "people" when we are on someone else's site


That has nothing to do with learning and using basic memorization skills.

They taught us that stuff in school, at least at my school they did...