Or, like the article suggested, a random portion for the hash... I
agree with you, Micah. The hash collision is a problem, and must be
avoided.
Same password hashes for different users are very good candidates for
a dictionary attack. Probably, in most of this cases, users picked
"easy" passwords,
onlist this time...
tedd wrote:
> >
> >
> > I think the MD5() hash is a pretty good way and if the weakness is the
> > user's lack of uniqueness in determining their passwords, then we can
> > focus on that problem instead of looking to another hash. And besides,
> > the solution presented was t
2009/2/9 Stuart :
> 2009/2/9 Jan G.B. :
>> 2009/2/9 Stuart :
>>> I would also advise against stripping and trimming
>>> anything from passwords.
>>>
>> Trimming could be left out but it minimizes user errors and users
>> pretending to know their password.
>> (Like copy/paste from a passwords-file w
At 10:41 AM -0600 2/9/09, Boyd, Todd M. wrote:
> -Original Message-
> From: tedd [mailto:tedd.sperl...@gmail.com]
> Granted, there are things here that are above my head -- I am not
passing myself off as an expert but rather as someone proposing ideas
to see if they pass or fail.
> -Original Message-
> From: tedd [mailto:tedd.sperl...@gmail.com]
> Sent: Monday, February 09, 2009 10:30 AM
> To: Bruno Fajardo
> Cc: PHP General
> Subject: Re: [PHP] php validate user password
>
> At 12:20 PM -0300 2/9/09, Bruno Fajardo wrote:
> >tedd,
&
At 12:20 PM -0300 2/9/09, Bruno Fajardo wrote:
tedd,
I think that the problem of the "duplicated hashes" in the database
(in the case of two users using the same password) persists with a
constant prefix in the passwords. Although the random salt portion get
stored in the database concatenated t
tedd,
I think that the problem of the "duplicated hashes" in the database
(in the case of two users using the same password) persists with a
constant prefix in the passwords. Although the random salt portion get
stored in the database concatenated to the hash, the attacker don't
know the string le
At 2:02 PM + 2/9/09, Stuart wrote:
2009/2/9 Michael Kubler :
These days SHA should really be used instead of MD5, and you should be
SALTing the password as well.
Here's a great guide : http://phpsec.org/articles/2005/password-hashing.html
Good advice. I would also advise against strippi
2009/2/9 Jan G.B. :
> 2009/2/9 Stuart :
>> I would also advise against stripping and trimming
>> anything from passwords. By removing characters you're significantly
>> reducing the number of possible passwords.
>
> Surely, the stripping should only be done when when magic_quotes is
> enabled! (e.g
2009/2/9 Stuart :
> 2009/2/9 Michael Kubler :
>> These days SHA should really be used instead of MD5, and you should be
>> SALTing the password as well.
>> Here's a great guide : http://phpsec.org/articles/2005/password-hashing.html
>
> Good advice.
Absolutley. I used mysqls md5() function only as
2009/2/9 Michael Kubler :
> These days SHA should really be used instead of MD5, and you should be
> SALTing the password as well.
> Here's a great guide : http://phpsec.org/articles/2005/password-hashing.html
Good advice. I would also advise against stripping and trimming
anything from passwords.
11 matches
Mail list logo
