On Wed, 14 Aug 2002, Robert Parker wrote:

>-On Tuesday 13 August 2002 10:57 am, you wrote:
>-> MD5 encryption of passwords is secure since you do not need to decrypt the
>-> password ever (in fact you can't).  You just encrypt the password that the
>-> user entered and check if the MD5 of each password is the same, then the
>-> user most likely entered the correct password.
>-I don't remember where I read this but it only takes the crackers about 1 - 2 
>-seconds to crack your average MD5 encrypted password. This is quite logical
>-because all they had to do is make a database of all of the MD5 sums of all 
>-the passwords in the various dictionaries.
>-The only Linux distro in my (limited) experience that gave the option of MD5 
>-encryption of passwords was Debian 2. Even then you had the option of shadow 
>-password files instead. Debian 2 is quite old. Later distros such as Mandrake 
>-8.0 and up simply use shadow password files without other option.
>-Bob Parker

Bob, this is an excellent point.

Your statement seems to assume the crackers have made off with the list of
MD5 hashes for the passwords.  One way to foil their attempts at
"guessing" the original strings from the MD5 hashes is to incorporate code
that prepends or appends a system string known only to the webmaster when
creating the MD5 hash.  Of cource if they have made their way into your
system deep enough to get the MD5 info, then they might also have the
system string.  Oh well.

MD5 is pretty much impractical to decrypt, but if the passwords that
create the MD5 sums are easy to guess, then dictionary attacks are still
useful are are a bigger problem that MD5, SHA or any other hash generator.

I see the only way around this is to regularly require your users to
reverify several answers to several questions on each login or, perhaps,
every month or so.

So instead of requesting:

One could ask:
        pet's name:
        mother maidenname:

As always, the question remains - How much security is too much security? 


>-PHP General Mailing List (http://www.php.net/)
>-To unsubscribe, visit: http://www.php.net/unsub.php


John Huggins



PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to