[wp-hackers] Wordpress Event Viewer Plugin
computerguru at neosmart.net
Wed Apr 4 12:15:41 GMT 2007
Sorry, I have no idea what the hell that was.... now after a long night's sleep, maybe I can make that go away :P
Yeah, sure, MD5 isn't encryption like PGP or Blowfish & Co. but it since we're not looking to retrieving the original unhashed value, it'll serve the same purpose.
Since the original unhashed message (password) will be made available, and all you have to do is check if its hash is the same as the hash you have stored, it's good enough.
Besides that, the argument remains unchanged.
Let's say it WAS encrypted, with a 4096-bit AES cipher. Does it make a difference? Since the source code is available to be freely modified, the real password can be leaked from anywhere pre-encryption or post-verification.
So, yeah, a Salt puts an obstacle in the way, and you'd have to first md5 the salt (available from the db) then rainbow table the password hash, then remove the md5'd salt from the "dehashed" password hash and then once more rainbow table the remaining stuff (because it's a 2 hashes within a hash) to get the password.
It doesn't make a difference how you look at it or if it's SHA2-512 being used vs. real GPG encryption of the password - so long as unencrypted/unhashed password is EVER at any point presented to the server its insecure.
Sorry about last night, I wasn't thinking straight and got carried away.
I guess the point of all this is: passwords are dead, security doesn't exist, and stuff like OpenID will never get the chance to make a difference unless everyone agrees around this point.
Back to my 500 accounts now?
> -----Original Message-----
> From: wp-hackers-bounces at lists.automattic.com [mailto:wp-hackers-
> bounces at lists.automattic.com] On Behalf Of Robert Deaton
> Sent: Wednesday, April 04, 2007 12:21 AM
> To: wp-hackers at lists.automattic.com
> Subject: Re: [wp-hackers] Wordpress Event Viewer Plugin
> On 4/3/07, Computer Guru <computerguru at neosmart.net> wrote:
> > Yes they do....
> > MD5 *is* technically an encryption scheme. And yes, with the help of
> rainbow tables, it can be decrypted - but it is never stored in plain
> text anywhere in a vanilla copy.
> No, its not an encryption scheme. Its a digest algorithm. A one way
> hash. And no, it can't be decrypted, ever. You can do a reverse lookup
> (rainbow tables) or generate a collision.
> Encryption by definition allows one to reverse the process knowing a
> certain secret (the function to reverse the process). MD5 has no such
> capability. In fact, run MD5 over a terabyte of data and it'll end up
> with the same length checksum as if you checksum the letter "a".
> > Instead, the user password when logging in is encrypted and the two
> MD5 hashes are compared.
> > I agree, it's not *that* secure, but it's good enough - like Brian
> was saying, how far do you want to go?
> ... *smack himself on the hand*. Be nice. Be nice... but its so hard.
> --Robert Deaton
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
More information about the wp-hackers