Sebastiaan van Erk schrieb:
Korbinian Bachl wrote:
This is nothing about wicket - its about base security. MD5 is a
hash-algorithm (see: http://en.wikipedia.org/wiki/Md5) which is no
more secure (flaw found 1996) as there are tables to reverse given md5
(from 2003 on) to a valid input
As far as I can remember, they can generate two different documents with
the same MD5 hash.
correct: http://www.mscs.dal.ca/~selinger/md5collision/ (this is known
since 1996 now)
However, they *CAN NOT* generate a collision for an arbitrary hash.
Furthermore, doing this in a limited size string (like a password) adds
another complication.
they can and did ! - if you have a hashvalue e.g:
79054025255fb1a26e4bc422aef54eb4
you can use various reverse tables to get the needed inputString into
any md5(inputString) function to get the desired hash -
example look here:
http://www.antsight.com/zsl/rainbowcrack/
Furthermore, there is generally no way to know what MD5 hash a user has,
so even if there was an attack which could generate a string with the
chosen MD5 hash, you still could not hack a user's account because you
wouldn't know which MD5 hash you want your string to have.
with classic rainbow tables or hybrid rainbow tables you get a 99,9%
chance to score a hit for under 1h time... sounds not very secure to me
Nope, MD5 password hashes are still perfectly fine.
sure?
Hashing the password client side is actually UNSAFE. This means the hash
goes over the network, and somebody else can just send the same hash to
the server to log in without ever knowing the user's password.
and its more save if the md5 sits in the RDBMS that may be breached?
What you need is either:
1) SSL (https) to encrypt the traffic to the server (in which case there
is no need to hash passwords client side), or
+1 for this - but i got him as he wants to store the password protected
on server
Best,
Korbinian
2) Use a challenge response algorithm (like CRAM-MD5).
Since 1) is already built into the browser and 2) is a pain and requires
somebody to implement it in JavaScript, I strongly suggest you use 1).
Futhermore, trying to think of your own security algorithms, or
implement known security algorithms yourself (e.g., in JavaScript)
instead of using a library is very dangerous unless you are a security
expert.
Regards,
Sebastiaan
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]