Author | Message | Time |
---|---|---|
hismajesty | Why does this generate errors? [code]Md5(crypt(base64_encode($password)))[/code] | December 23, 2003, 3:28 AM |
Spht | [quote author=hismajesty link=board=22;threadid=4402;start=0#msg36824 date=1072150103] Why does this generate errors? [code]Md5(crypt(base64_encode($password)))[/code] [/quote] I hope you're kidding. | December 23, 2003, 3:32 AM |
hismajesty | [quote author=Spht link=board=22;threadid=4402;start=0#msg36825 date=1072150326] [quote author=hismajesty link=board=22;threadid=4402;start=0#msg36824 date=1072150103] Why does this generate errors? [code]Md5(crypt(base64_encode($password)))[/code] [/quote] I hope you're kidding. [/quote] Sadly I'm not...I don't understand why encrypting something three ways would generate an error... (It doesn't help that I'm just learning php either) | December 23, 2003, 3:36 AM |
Spht | [quote author=hismajesty link=board=22;threadid=4402;start=0#msg36826 date=1072150595] [quote author=Spht link=board=22;threadid=4402;start=0#msg36825 date=1072150326] [quote author=hismajesty link=board=22;threadid=4402;start=0#msg36824 date=1072150103] Why does this generate errors? [code]Md5(crypt(base64_encode($password)))[/code] [/quote] I hope you're kidding. [/quote] Sadly I'm not...I don't understand why encrypting something three ways would generate an error... (It doesn't help that I'm just learning php either) [/quote] I don't know PHP. But that's like saying[code]MyReturn = MyFunction(DoesThis(AndThis(ToThis))) Why doesn't this work???[/code] You may need to post your Md5, crypt, base64_encode functions which could be buggy and causing the error. | December 23, 2003, 3:40 AM |
hismajesty | Those functions are all built into PHP. I guess I'll just do [code]Md5($password)[/code] instead, I was just thinking that it being encrypted three times would make it more secure and what not. | December 23, 2003, 3:42 AM |
Spht | [quote author=hismajesty link=board=22;threadid=4402;start=0#msg36828 date=1072150931] Those functions are all built into PHP. I guess I'll just do [code]Md5($password)[/code] instead, I was just thinking that it being encrypted three times would make it more secure and what not. [/quote] That works? Try:[code]base64_encode($password) crypt($password) Md5($password)[/code] | December 23, 2003, 3:44 AM |
St0rm.iD | Ugh@spht If you're looking for one-way encryption, pretty much the best you can get is double-SHA, that is, SHA the data once, then append a "session key" (if applicable) and hash again. If there are no such session keys, one time will suffice. | December 23, 2003, 4:02 PM |
ProjecT | hrm. <FORM> <INPUT TYPE=TEXT NAME=code VALUE="<?echo $code?>"> <INPUT TYPE=SUBMIT NAME=action VALUE="Encode"> <INPUT TYPE=SUBMIT NAME=action VALUE="Decode"> </FORM><BR> <? if($action == "Encode") { echo "<B><FONT FACE=Arial>Output:</FONT></B><BR>"; echo base64_encode($code); } elseif($action == "Decode") { echo "<B><FONT FACE=Arial>Output:</FONT></B><BR>"; echo base64_decode($code); } ?> | December 25, 2003, 5:59 PM |
Yoni | Hash(Base64 of password) and Hash(Plaintext password) are equally secure. If all you're going to do is calculate a hash, encoding as base64 is unnecessary. See also St0rm's post. Base64 by itself offers zero security. Its purpose is not security. Its purpose is to encode any data to a form that contains only printable characters, with an overhead of only 33% (as opposed to, for example, an overhead of 100% with encoding as Hex). | December 25, 2003, 11:41 PM |
hismajesty | Project, that was a pointless. We've already established that base64 was pointless; thus, the reason that I wasn't satisfied using just base64. Base64 is easily decoded with the base64_decode function of php; thus, it's a pointless form of encrypting. Anyways, I just decided to do MD5 hashing only. | December 25, 2003, 11:47 PM |
CrAzY | [quote author=ProjecT link=board=22;threadid=4402;start=0#msg37099 date=1072375163] hrm. <FORM> <INPUT TYPE=TEXT NAME=code VALUE="<?echo $code?>"> <INPUT TYPE=SUBMIT NAME=action VALUE="Encode"> <INPUT TYPE=SUBMIT NAME=action VALUE="Decode"> </FORM><BR> <? if($action == "Encode") { echo "<B><FONT FACE=Arial>Output:</FONT></B><BR>"; echo base64_encode($code); } elseif($action == "Decode") { echo "<B><FONT FACE=Arial>Output:</FONT></B><BR>"; echo base64_decode($code); } ?> [/quote] Looks like a Visual Basic programmer. | December 25, 2003, 11:48 PM |
ProjecT | Uhhh sorry if it was to late... i just said my idea... and Crazy a little Vb, cant do a nice work like you or other people, i still need to learn :o. And Shadowed is teaching me php, heh, he is a god, he made Psi Ops. | December 27, 2003, 12:56 AM |
Arta | What are you trying to do exactly? If you're saving a password as a cookie or something, remember that in most cases, obtaining the hash of a password is equally as useful as obtaining the password itsself. Hashing != Insta-secure. | December 27, 2003, 11:04 PM |
UserLoser. | [quote author=Spht link=board=22;threadid=4402;start=0#msg36827 date=1072150826] [code]MyReturn = MyFunction(DoesThis(AndThis(ToThis))) Why doesn't this work???[/code][/quote] ROFL ;D | December 28, 2003, 12:13 AM |
Kp | [quote author=Arta[vL] link=board=22;threadid=4402;start=0#msg37270 date=1072566286]What are you trying to do exactly? If you're saving a password as a cookie or something, remember that in most cases, obtaining the hash of a password is equally as useful as obtaining the password itsself. Hashing != Insta-secure.[/quote] This depends in part on who he's trying to protect against. If he's dubious about who else might be reading through the stored data, hashing the password server side is good enough if the intruder can only read saved data (cannot listen to your chat with the client). Failure to do this is what got Trance (in part, anyway): the passwords were stored cleartext, and a malicious individual had read access to the password storage medium. If the passwords had been stored as a hash, it would have taken at least a little bit of work for the attacker to determine Trance's password in cleartext form. If the hash is computed client side, then, as you say, obtaining the hash is as good as having the password - for purposes of impersonating the user. However, even in this case, having the hash of the password would not immediately grant knowledge of the user's cleartext password, so you could only impersonate him/her in this one location. In my opinion, a good compromise between effort and security is to take the approach Blizzard uses -- a two layer hashing of the password, with the server remembering the one-pass hash and recomputing the two-pass hash from the stored data + the challenge/response cookies. | December 28, 2003, 1:00 AM |
UserLoser. | [quote author=Kp link=board=22;threadid=4402;start=0#msg37280 date=1072573238] This depends in part on who he's trying to protect against. If he's dubious about who else might be reading through the stored data, hashing the password server side is good enough if the intruder can only read saved data (cannot listen to your chat with the client). Failure to do this is what got Trance (in part, anyway): the passwords were stored cleartext, and a malicious individual had read access to the password storage medium. If the passwords had been stored as a hash, it would have taken at least a little bit of work for the attacker to determine Trance's password in cleartext form. If the hash is computed client side, then, as you say, obtaining the hash is as good as having the password - for purposes of impersonating the user. However, even in this case, having the hash of the password would not immediately grant knowledge of the user's cleartext password, so you could only impersonate him/her in this one location. In my opinion, a good compromise between effort and security is to take the approach Blizzard uses -- a two layer hashing of the password, with the server remembering the one-pass hash and recomputing the two-pass hash from the stored data + the challenge/response cookies. [/quote] How are the BotNet accounts & passwords saved? | December 28, 2003, 2:36 AM |
Kp | [quote author=UserLoser. link=board=22;threadid=4402;start=15#msg37285 date=1072578962]How are the BotNet accounts & passwords saved?[/quote] They're still saved however Skywing had them configured to be saved. I haven't even touched his account modification functions (there's been no need). | December 28, 2003, 2:53 AM |
Adron | [code] storedhash = read(); randomvalue1 = read(); password = recv(); hash = md5(password + randomvalue1); for(i = 0; i < 1000000; i++) hash = md5(hash + randomvalue1); if(storedhash == hash) success(); [/code] Very secure! | January 3, 2004, 11:42 PM |
UserLoser. | [quote author=Adron link=board=22;threadid=4402;start=15#msg38242 date=1073173360] [code] storedhash = read(); randomvalue1 = read(); password = recv(); hash = md5(password + randomvalue1); for(i = 0; i < 1000000; i++) hash = md5(hash + randomvalue1); if(storedhash == hash) success(); [/code] Very secure! [/quote] Is there any language/scripting you don't know? :P | January 4, 2004, 12:37 AM |
Adron | [quote author=UserLoser. link=board=22;threadid=4402;start=15#msg38247 date=1073176652] [quote author=Adron link=board=22;threadid=4402;start=15#msg38242 date=1073173360] [code] storedhash = read(); randomvalue1 = read(); password = recv(); hash = md5(password + randomvalue1); for(i = 0; i < 1000000; i++) hash = md5(hash + randomvalue1); if(storedhash == hash) success(); [/code] Very secure! [/quote] Is there any language/scripting you don't know? :P [/quote] That's probably not valid php btw... I've only done very little php scripting, and this was more like pseudocode. I was just suggesting that he hash it one million times for improved security. | January 4, 2004, 12:49 AM |
j0k3r | He missed an end if. [edit]and an end for[/edit] | January 4, 2004, 3:31 AM |
kamakazie | [quote author=j0k3r link=board=22;threadid=4402;start=15#msg38257 date=1073187066] He missed an end if. [edit]and an end for[/edit] [/quote] He did? Adron's code is fun. | January 7, 2004, 8:29 PM |
Adron | It's not the code that matters, it's the idea it tries to convey. | January 7, 2004, 10:14 PM |
kamakazie | [quote author=Adron link=board=22;threadid=4402;start=15#msg38741 date=1073513674] It's not the code that matters, it's the idea it tries to convey. [/quote] That's why it's fun :) | January 7, 2004, 11:52 PM |
venox | [quote author=j0k3r link=topic=4402.msg38257#msg38257 date=1073187066] He missed an end if. [edit]and an end for[/edit] [/quote] Actually, if you want to get technical, in PHP, if you are only doing 1 thing in an if/for statement the { } are not required, therefore.. if($blah) do_soemthing(); or for($i = 0; $i > 10; $i++) do_something(); is just fine.. | October 31, 2004, 1:27 PM |