Once you know the hash though, it's a simple matter from what I've
heard to decrypt it with a brute force attack setup on your server.
Sure it takes a little effort, but it is possible.
even if you use all kinds of mixed case, different characters,
punctuation, etc. to create the hash, with only 32 bits to compare to
you can have multiple sequences of numbers/letters that have the same
hash.
The best way to do it, I think would be to store the password outside
of the webroot so that external applications don't have access to it. :)
Just my 2¢
On Jan 14, 2008, at 3:17 PM, Roberto Berto wrote:
Someone can get read access to assp.cfg without write.
default umask is 022, what mean files are created with 0644, so by
default them can read not write
MD5 hash will help to protect sysadmins which do not checked their
permissions.
I know is easier to chmod 0600 assp.cfg, but, my opinion is to
restrict where's possible
On Jan 14, 2008 6:11 PM, Kevin < [EMAIL PROTECTED]> wrote:
Roberto Berto wrote:
> On Jan 14, 2008 3:00 PM, GrayHat <[EMAIL PROTECTED]> wrote:
>
>>> webAdminEncryptedPassword
>> it's a nonsense; imVHo it would just suffice to use MD5 to generate
>> an hash of the admin password and store the hash inside the config
>> file in place of the plain text pwd; at any rate, if someone will
be
>> able to read your cfg file, then I suspect you'll have bigger
problems
>> than
>> the plain text password one <g>
>>
>
> I disagree strongly you.
>
> My idea is use MD5 at webAdminEncryptedPassword and MD5 is better
than
> actual plan text.
It makes no difference if the password is plaintext or an MD5 hash
once
you have access to the file.
What is to stop someone from simply deleting the existing MD5 hash and
replacing it with their own?
Kevin
-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
_______________________________________________
Assp-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/assp-user
--
Atenciosamente,
----------------------------------------------------------
Roberto Bertó
[EMAIL PROTECTED]
TeHospedo - hospedagem de sites - http://www.TeHospedo.com.br - 51
32277727
----------------------------------------------------------
-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace_______________________________________________
Assp-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/assp-user
--
Jason Pruim
Raoset Inc.
Technology Manager
MQC Specialist
3251 132nd ave
Holland, MI, 49424
www.raoset.com
[EMAIL PROTECTED]
-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
_______________________________________________
Assp-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/assp-user
