And it comes down to exactly what you are trying to protect. If someone
comes down and says, I'll chop off your head if you don't give me the key,
and it's the firms salary data, the odds are u just may give in. It's
probably on google anyway.
Remember Mata Hari was able to get top secret data (en
At 2:14 PM -0400 5/6/10, Nicholas Ilyin wrote:
Hi Anthony,
In theory, no hashing function will ever be free from brute force
attacks, but this is a matter of how long one is willing to perform
a brute force attack to find the variable (a password) in a one-way
hashing function. In practice, s
Hi Anthony,
MD5 and SHA1 password hashes are considered weak. You are correct that
someone got a hold of your hashes they could use a dictionary of
common passwords to devise some of your user's passwords.
There are a few ways to deal with this. The simplest is to just force
users to create comp
Hello,
Hi Anthony,
MD5 and SHA1 password hashes are considered weak. You are correct that
someone got a hold of your hashes they could use a dictionary of
common passwords to devise some of your user's passwords.
It makes me laugh a little when people say MD5 or SHA1 is weak or
broken. If it
On Thu, May 6, 2010 at 1:15 PM, Anthony Papillion wrote:
> So I've used encryption on a personal level and even on the server
> through SSL but I've not done much more in PHP than using either the
> MD5() or SHA1() functions on passwords. I tend to be a very paranoid
> type with user information a
On Thu, May 6, 2010 at 2:14 PM, Nicholas Ilyin wrote:
> However, appending any plaintext to your password and hashing that, such as
> SHA(username+password+username) is useless from a mathematical standpoint as
> the username is actually known to a potential hacker. The way that hash
> functions
On Thu, May 6, 2010 at 2:08 PM, John Campbell wrote:
> Use bcrypt. It is tunable so can make it so each hash check takes .1
> seconds. This makes a dictionary attack a huge pain in the ass, but
> your login page will still be plenty responsive.
>
This is excellent advice. You can also make you
Just happened to see this in my RSS feed from phpdeveloper.org...
http://www.webreference.com/programming/php/encryption_1/
Maybe relevant...
--Mike H
___
New York PHP Users Group Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/tal
Hi Anthony,
In theory, no hashing function will ever be free from brute force attacks,
but this is a matter of how long one is willing to perform a brute force
attack to find the variable (a password) in a one-way hashing function. In
practice, some hashing functions have clear security flaws whil
On Thu, May 6, 2010 at 1:15 PM, Anthony Papillion wrote:
> So I've used encryption on a personal level and even on the server
> through SSL but I've not done much more in PHP than using either the
> MD5() or SHA1() functions on passwords. I tend to be a very paranoid
> type with user information a
On Thu, May 6, 2010 at 1:15 PM, Anthony Papillion wrote:
> An attacker could determine an MD5 or SHA1 password through a simple
> dictionary attack. So, in essence, the encryption is useless.
Yes, current CUDA setups can calculate a billion SHA1's per second.
Dictionary attacks against salted has
So I've used encryption on a personal level and even on the server
through SSL but I've not done much more in PHP than using either the
MD5() or SHA1() functions on passwords. I tend to be a very paranoid
type with user information and I'm constantly thinking about
weaknesses in systems and how the
12 matches
Mail list logo
