Welcome to WebmasterWorld Guest from 54.162.157.249

Forum Moderators: phranque

Message Too Old, No Replies

MD5 Password Encryption Algorithm Is No Longer Safe, Says Its Author

     
1:29 pm on Jun 7, 2012 (gmt 0)

WebmasterWorld Administrator engine is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month Best Post Of The Month



MD5 Password Encryption Algorithm Is No Longer Safe, Says Its Author [zdnet.com]
The original author of the MD5 password hash algorithm has publicly declared his software end-of-life and is “no longer considered safe” to use on commercial websites.

Danish developer Poul-Henning Kamp, who developed the widely used MD5 password hash algorithm, said that limitations to his software and a corresponding increase in computing power since its initial release has rendered algorithm obsolete.

“I implore everybody to migrate to a stronger password scrambler without undue delay,”
1:42 pm on Jun 7, 2012 (gmt 0)

WebmasterWorld Senior Member andy_langton is a WebmasterWorld Top Contributor of All Time 10+ Year Member



Great quote from the author there, too:

All major internet sites, anybody with more than 50.000 passwords, should design or configure a unique algorithm (consisting of course of standard one-way hash functions like SHA2 etc) for their site, in order to make development of highly optimized password brute-force technologies a “per-site” exercise for attackers.


I'd say he's right on the money, although this would put some burden back on those sites, of course.
4:25 pm on Jun 7, 2012 (gmt 0)

WebmasterWorld Senior Member henry0 is a WebmasterWorld Top Contributor of All Time 10+ Year Member



Check PHP man and scroll down to review a few interesting suggestion on using sha 256.

I am thinking to implement something like that in a few new scripts instead of the usual md5()

[php.net ]
4:50 pm on Jun 7, 2012 (gmt 0)

WebmasterWorld Administrator httpwebwitch is a WebmasterWorld Top Contributor of All Time 10+ Year Member



Goodbye MD5. You've been a good friend. Thanks for watching my back.

RIP MD5

:(
5:06 pm on Jun 7, 2012 (gmt 0)

WebmasterWorld Senior Member henry0 is a WebmasterWorld Top Contributor of All Time 10+ Year Member



Once upon a time... when CAPTCHA was said to be the universal panacea!
6:53 pm on Jun 7, 2012 (gmt 0)

WebmasterWorld Administrator incredibill is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



What you really need are secure servers because if the server wasn't being hacked the password could be plain text and it would be just fine as long as it's being transmitted via SSL.

People shouldn't even be in control of creating and managing their own passwords anyway because the majority of people are using medium strength passwords at best, if we're lucky.
8:13 pm on Jun 7, 2012 (gmt 0)

WebmasterWorld Senior Member henry0 is a WebmasterWorld Top Contributor of All Time 10+ Year Member



People shouldn't even be in control of creating and managing their own passwords anyway because the majority of people are using medium strength passwords at best, if we're lucky.


With a well defined regex and corresponding "how to enter PW" the new registering user could be somehow "forced" to create a good strong PW.

I am not pro self-generated-PW as the user will not memorize it, thus writing it down! And anyway will, first thing first, change it to "passord101" :)

You are correct people should not be trusted, once I visited a client, go through the accounting dpt, something caught my eyes, it was a sticker on a monitor, I knew what it was, nevertheless asked about it and they candidly said that it was the accounting master PW .....
8:35 pm on Jun 7, 2012 (gmt 0)

WebmasterWorld Senior Member leosghost is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



Bill ..problem is ..we here are all "people" when we are on someone else's site..:)
5:35 am on Jun 8, 2012 (gmt 0)

WebmasterWorld Administrator incredibill is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



thus writing it down!

Not nearly as bad as letting a hacker get access.

I'm not concerned with anything left on my desk because nobody is allowed in my office, no touching the desk or anything on it, and all trespassers will be violated.

Using my computer is completely forbidden, penalty of beheading, so someone remembering my password if they ever see it isn't much of a problem ;)

Of course my wife is the only exception, all others should stay clear.

Bill ..problem is ..we here are all "people" when we are on someone else's site


That has nothing to do with learning and using basic memorization skills.

They taught us that stuff in school, at least at my school they did...
 

Featured Threads

Hot Threads This Week

Hot Threads This Month