Re: Re[2]: [PHP] Credit Card suggestions
On Tuesday 13 August 2002 01:01 pm, you wrote: > On Wed, Aug 14, 2002 at 02:20:07AM -0400, Robert Parker wrote: > > I don't remember where I read this but it only takes the crackers about 1 > > - 2 seconds to crack your average MD5 encrypted password. This is quite > > logical because all they had to do is make a database of all of the MD5 > > sums of all the passwords in the various dictionaries. > > Of course, that would necessitate access to the machine. A brute force > dictionary attack is much more likely. To thwart both, enforce strong > passwords. > > --Dan Yes I am assuming possible access to the machine, it is far from rare. Agree with enforcing strong passwords when that is possible. Just that extra steps may be needed, beyond the encryption method. Bob -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: Re[2]: [PHP] Credit Card suggestions
On Wed, Aug 14, 2002 at 02:20:07AM -0400, Robert Parker wrote: > > I don't remember where I read this but it only takes the crackers about 1 - 2 > seconds to crack your average MD5 encrypted password. This is quite logical > because all they had to do is make a database of all of the MD5 sums of all > the passwords in the various dictionaries. Of course, that would necessitate access to the machine. A brute force dictionary attack is much more likely. To thwart both, enforce strong passwords. --Dan -- PHP classes that make web design easier SQL Solution | Layout Solution | Form Solution sqlsolution.info | layoutsolution.info | formsolution.info T H E A N A L Y S I S A N D S O L U T I O N S C O M P A N Y 4015 7 Av #4AJ, Brooklyn NY v: 718-854-0335 f: 718-854-0409 -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: Re[2]: [PHP] Credit Card suggestions
On Wed, 14 Aug 2002, Robert Parker wrote: >-On Tuesday 13 August 2002 12:20 pm, you wrote: >-> Makes sense, except if you use upper and lowercase characters, >-> numbers, and symbols (as you should for secure passwords). I >-> would think that with these kind of passwords, storing the sheer >-> number of posibilites would get slightly large. And I mean even >-> if it is easy to break, it's more secure then storing them clear >-> text. >-> >-> Adam Voigt >-> [EMAIL PROTECTED] >- >-Thing that really scares me about MD5 being used anywhere that's easily >-accessible is what happens if 'pussycat' maps on to the same hash as >-'H&3ph!3s09Zw'. The crackers don't need the original password just something >-that generates the same hash. >- >-Bob Parker Whoa, I thought Bob was saying he found two strings that generate the same hash. md5(pussycat) = fd316a211a7178c6fbf09c4c2ac6fa05 md5(H&3ph!3s09Zw) = 4172a5caff5b7878144c8aae11f3de17 Guess not. WHEW! ** John Huggins VANet [EMAIL PROTECTED] http://www.va.net/ ** -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: Re[2]: [PHP] Credit Card suggestions
Doesn't md5 generate a 128 bit binary number??? That means there are 3.4028236692093846346337460743177e+38 possible combinations which can be generated. So surely the odds of 2 strings producing the same md5 code are 1 in 3.4028236692093846346337460743177e+38??? Having said that, I guess dictionary based attacks could break in fairly easily. That's why I always make my users have numbers and mixed case in their passwords. -Original Message- From: John S. Huggins [mailto:[EMAIL PROTECTED]] Sent: 13 August 2002 17:48 To: Robert Parker Cc: [EMAIL PROTECTED]; Adam Voigt Subject: Re: Re[2]: [PHP] Credit Card suggestions On Wed, 14 Aug 2002, Robert Parker wrote: >-On Tuesday 13 August 2002 12:20 pm, you wrote: >-> Makes sense, except if you use upper and lowercase characters, >-> numbers, and symbols (as you should for secure passwords). I would >-> think that with these kind of passwords, storing the sheer number of >-> posibilites would get slightly large. And I mean even if it is easy >-> to break, it's more secure then storing them clear text. >-> >-> Adam Voigt >-> [EMAIL PROTECTED] >- >-Thing that really scares me about MD5 being used anywhere that's >easily -accessible is what happens if 'pussycat' maps on to the same >hash as -'H&3ph!3s09Zw'. The crackers don't need the original password >just something -that generates the same hash. Sure this is possible and I agree a concern. With MD5 there is some mathematically small chance this will happen. With SHA even smaller. However, where do we draw the line? I suppose requiring users to use long passphrases instead of passwords and MD5 that result would help with this issue. >- >-Bob Parker >- >--- >-PHP General Mailing List (http://www.php.net/) >-To unsubscribe, visit: http://www.php.net/unsub.php >- ** John Huggins VANet [EMAIL PROTECTED] http://www.va.net/ ** -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: Re[2]: [PHP] Credit Card suggestions
True, and there's always the MCRYPT library. Adam Voigt [EMAIL PROTECTED] On Tue, 2002-08-13 at 12:48, John S. Huggins wrote: > On Wed, 14 Aug 2002, Robert Parker wrote: > > >-On Tuesday 13 August 2002 12:20 pm, you wrote: > >-> Makes sense, except if you use upper and lowercase characters, > >-> numbers, and symbols (as you should for secure passwords). I > >-> would think that with these kind of passwords, storing the sheer > >-> number of posibilites would get slightly large. And I mean even > >-> if it is easy to break, it's more secure then storing them clear > >-> text. > >-> > >-> Adam Voigt > >-> [EMAIL PROTECTED] > >- > >-Thing that really scares me about MD5 being used anywhere that's easily > >-accessible is what happens if 'pussycat' maps on to the same hash as > >-'H&3ph!3s09Zw'. The crackers don't need the original password just something > >-that generates the same hash. > > Sure this is possible and I agree a concern. With MD5 there is some > mathematically small chance this will happen. With SHA even smaller. > However, where do we draw the line? > > I suppose requiring users to use long passphrases instead of passwords and > MD5 that result would help with this issue. > > >- > >-Bob Parker > >- > >--- > >-PHP General Mailing List (http://www.php.net/) > >-To unsubscribe, visit: http://www.php.net/unsub.php > >- > > ** > > John Huggins > VANet > > [EMAIL PROTECTED] > http://www.va.net/ > > ** > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: Re[2]: [PHP] Credit Card suggestions
On Wed, 14 Aug 2002, Robert Parker wrote: >-On Tuesday 13 August 2002 12:20 pm, you wrote: >-> Makes sense, except if you use upper and lowercase characters, >-> numbers, and symbols (as you should for secure passwords). I >-> would think that with these kind of passwords, storing the sheer >-> number of posibilites would get slightly large. And I mean even >-> if it is easy to break, it's more secure then storing them clear >-> text. >-> >-> Adam Voigt >-> [EMAIL PROTECTED] >- >-Thing that really scares me about MD5 being used anywhere that's easily >-accessible is what happens if 'pussycat' maps on to the same hash as >-'H&3ph!3s09Zw'. The crackers don't need the original password just something >-that generates the same hash. Sure this is possible and I agree a concern. With MD5 there is some mathematically small chance this will happen. With SHA even smaller. However, where do we draw the line? I suppose requiring users to use long passphrases instead of passwords and MD5 that result would help with this issue. >- >-Bob Parker >- >--- >-PHP General Mailing List (http://www.php.net/) >-To unsubscribe, visit: http://www.php.net/unsub.php >- ** John Huggins VANet [EMAIL PROTECTED] http://www.va.net/ ** -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: Re[2]: [PHP] Credit Card suggestions
If I could find the link I would send it, but I read about 6 months back on RSA Data Security's website that a study was being done by mathemetician's and at the time they were theorizing that they highly doubted any overlap in keysums but if such did exist they believed that the key you would have to MD5 to get the same sum would have to be several "chapters" worth of characters. Point of the story is, it's highly, highly, highly unlikely. Adam Voigt [EMAIL PROTECTED] On Wed, 2002-08-14 at 02:36, Robert Parker wrote: > On Tuesday 13 August 2002 12:20 pm, you wrote: > > Makes sense, except if you use upper and lowercase characters, > > numbers, and symbols (as you should for secure passwords). I > > would think that with these kind of passwords, storing the sheer > > number of posibilites would get slightly large. And I mean even > > if it is easy to break, it's more secure then storing them clear > > text. > > > > Adam Voigt > > [EMAIL PROTECTED] > > Thing that really scares me about MD5 being used anywhere that's easily > accessible is what happens if 'pussycat' maps on to the same hash as > 'H&3ph!3s09Zw'. The crackers don't need the original password just something > that generates the same hash. > > Bob Parker -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: Re[2]: [PHP] Credit Card suggestions
On Tuesday 13 August 2002 12:20 pm, you wrote: > Makes sense, except if you use upper and lowercase characters, > numbers, and symbols (as you should for secure passwords). I > would think that with these kind of passwords, storing the sheer > number of posibilites would get slightly large. And I mean even > if it is easy to break, it's more secure then storing them clear > text. > > Adam Voigt > [EMAIL PROTECTED] Thing that really scares me about MD5 being used anywhere that's easily accessible is what happens if 'pussycat' maps on to the same hash as 'H&3ph!3s09Zw'. The crackers don't need the original password just something that generates the same hash. Bob Parker -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: Re[2]: [PHP] Credit Card suggestions
Makes sense, except if you use upper and lowercase characters, numbers, and symbols (as you should for secure passwords). I would think that with these kind of passwords, storing the sheer number of posibilites would get slightly large. And I mean even if it is easy to break, it's more secure then storing them clear text. Adam Voigt [EMAIL PROTECTED] On Wed, 2002-08-14 at 02:20, Robert Parker wrote: > On Tuesday 13 August 2002 10:57 am, you wrote: > > MD5 encryption of passwords is secure since you do not need to decrypt the > > password ever (in fact you can't). You just encrypt the password that the > > user entered and check if the MD5 of each password is the same, then the > > user most likely entered the correct password. > > I don't remember where I read this but it only takes the crackers about 1 - 2 > seconds to crack your average MD5 encrypted password. This is quite logical > because all they had to do is make a database of all of the MD5 sums of all > the passwords in the various dictionaries. > The only Linux distro in my (limited) experience that gave the option of MD5 > encryption of passwords was Debian 2. Even then you had the option of shadow > password files instead. Debian 2 is quite old. Later distros such as Mandrake > 8.0 and up simply use shadow password files without other option. > > Regards > Bob Parker > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: Re[2]: [PHP] Credit Card suggestions
On Tuesday 13 August 2002 10:57 am, you wrote: > MD5 encryption of passwords is secure since you do not need to decrypt the > password ever (in fact you can't). You just encrypt the password that the > user entered and check if the MD5 of each password is the same, then the > user most likely entered the correct password. I don't remember where I read this but it only takes the crackers about 1 - 2 seconds to crack your average MD5 encrypted password. This is quite logical because all they had to do is make a database of all of the MD5 sums of all the passwords in the various dictionaries. The only Linux distro in my (limited) experience that gave the option of MD5 encryption of passwords was Debian 2. Even then you had the option of shadow password files instead. Debian 2 is quite old. Later distros such as Mandrake 8.0 and up simply use shadow password files without other option. Regards Bob Parker -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: Re[2]: [PHP] Credit Card suggestions
MD5 encryption of passwords is secure since you do not need to decrypt the password ever (in fact you can't). You just encrypt the password that the user entered and check if the MD5 of each password is the same, then the user most likely entered the correct password. - Original Message - From: "Sascha Braun" <[EMAIL PROTECTED]> To: "PHP Mailingliste" <[EMAIL PROTECTED]> Sent: Tuesday, August 13, 2002 10:52 AM Subject: AW: Re[2]: [PHP] Credit Card suggestions > If there is no secure way to store creditcards on webservers, please tell me > about how secure it is to encrypt passwords with md5 encryption. > > I want a password secured area in my website where I store some company > concepts I invented. I'm searching for people who got enough money to make > these concepts happen in true life, but I don't want these people to look at > the concepts before I don't have there Personal Data. > > If someone is interestet and German speaking you may look at > www.weitsicht.org, but the site isn't finished yet. some things don't work > on other browsers than IE. > > Thanks > > Schura > > > > -Ursprungliche Nachricht- > Von: Geoff Caplan [mailto:[EMAIL PROTECTED]] > Gesendet: Dienstag, 13. August 2002 10:20 > An: Mike Mannakee; [EMAIL PROTECTED] > Betreff: Re[2]: [PHP] Credit Card suggestions > > > Mike, > > >>Does anyone have any suggested method of scrambling a user's credit card > >>number before I stick it in a mysql database? > > With respect, if you have to ask the question, you don't have the > technical skills to do this safely. In particular, there is no way to > keep the numbers secure if you are storing them on a machine which can > be accessed directly from the internet. Both your encryption keys and > your card numbers would have to be stored on a back-end machine > protected by a sophisticated firewall. > > Payment gateway providers have to meet challenging standards and > undergo rigorous audits from the banks before they are allowed to > store numbers. Much your best solution is to use one of these > providers, who will store the card numbers for you. You can then do > all the transactions you require, such as repeats, refunds etc without > ever having to store the card number. Many providers offer the options > of using forms on their servers, or using your own SSL forms and > posting them the data using the SSL. With the CURL library, writing an > interface for this is relatively trivial. > > Many countries (such as the UK where we operate) have laws about the > storage of credit cards on computer networks, so what you are planning > may even be illegal! > > -- > Geoff Caplan > Advantae Ltd > > mailto:[EMAIL PROTECTED] > http://www.advantae.com > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: Re[2]: [PHP] Credit Card suggestions
Mike, I agree with the things that Geoff is telling you. What I have seen in the past and even in some free PHP programs that I downloaded for learning purposes, is the CC number stored in your database but not entirely. I mean like 1234789 so the customer can verify that the transaction will be made using the right CC and not an old one or even someone else CC. HTH, C. > -Original Message- > From: Geoff Caplan [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, August 13, 2002 5:20 AM > To: Mike Mannakee; [EMAIL PROTECTED] > Subject: Re[2]: [PHP] Credit Card suggestions > > Mike, > > >>Does anyone have any suggested method of scrambling a user's credit card > >>number before I stick it in a mysql database? > > With respect, if you have to ask the question, you don't have the > technical skills to do this safely. In particular, there is no way to > keep the numbers secure if you are storing them on a machine which can > be accessed directly from the internet. Both your encryption keys and > your card numbers would have to be stored on a back-end machine > protected by a sophisticated firewall. > > Payment gateway providers have to meet challenging standards and > undergo rigorous audits from the banks before they are allowed to > store numbers. Much your best solution is to use one of these > providers, who will store the card numbers for you. You can then do > all the transactions you require, such as repeats, refunds etc without > ever having to store the card number. Many providers offer the options > of using forms on their servers, or using your own SSL forms and > posting them the data using the SSL. With the CURL library, writing an > interface for this is relatively trivial. > > Many countries (such as the UK where we operate) have laws about the > storage of credit cards on computer networks, so what you are planning > may even be illegal! > > -- > Geoff Caplan > Advantae Ltd > > mailto:[EMAIL PROTECTED] > http://www.advantae.com > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
