WebApp Sec mailing list archives
Re[2]: MD5 Password encoding (was: Defeating Citi-Bank Virtual Keyboard Protection)
From: Oleg Topchiy <edge () ua fm>
Date: Wed, 17 Aug 2005 10:54:20 +0300
Hello Noam, Wednesday, August 17, 2005, 7:52:15 AM, you wrote:
Hello Mike,
If you are implementing a one-way hash correctly, there should be no need to store the plaintext passwords. All that should be stored is the resulting hash of each password.
For example, if the plaintext password is, "secretpassword" the MD5 hash of that password would be, "31435008693ce6976f45dedc5532e2c1".
That hash can be stored in the user database instead of a password. The advantage of this is that if the confidentiality of that database is compromised, no passwords will be revealed. There is no feasible way to reverse a one-way hash function to reveal the plaintext password.
To authenticate users, you would take the user-submitted password (ex. "secretpassword") and perform the same hash function. The resulting hash should match the hash stored in the database.
It's true, but if the whole database is comporomised, there is a good chance that vast number of the passwords won't stand against even dictionary attack, leave alone bruteforce. Although this method provides best balance between complexity and security. -- Best regards, The.Edge mailto:edge () ua fm
Current thread:
- Re: MD5 Password encoding (was: Defeating Citi-Bank Virtual Keyboard Protection) mike (Aug 16)
- Re: MD5 Password encoding (was: Defeating Citi-Bank Virtual Keyboard Protection) Noam Eppel (Aug 16)
- Re[2]: MD5 Password encoding (was: Defeating Citi-Bank Virtual Keyboard Protection) Oleg Topchiy (Aug 17)
- Re: Re[2]: MD5 Password encoding (was: Defeating Citi-Bank Virtual Keyboard Protection) Chuck (Aug 17)
- Re: MD5 Password encoding, "straight" vs "salted" hashes Peter Watkins (Aug 17)
- Re: MD5 Password encoding (was: Defeating Citi-Bank Virtual Keyboard Protection) Thomas Chiverton (Aug 17)
- Re[2]: MD5 Password encoding (was: Defeating Citi-Bank Virtual Keyboard Protection) Oleg Topchiy (Aug 17)
- <Possible follow-ups>
- RE: MD5 Password encoding (was: Defeating Citi-Bank Virtual Keyboard Protection) Cyrill Osterwalder (Aug 17)
- RE: MD5 Password encoding (was: Defeating Citi-Bank Virtual Keyboard Protection) Bond Masuda (Aug 17)
- Re: MD5 Password encoding (was: Defeating Citi-Bank Virtual Keyboard Protection) Gary Gwin (Aug 18)
- Re: MD5 Password encoding (was: Defeating Citi-Bank Virtual Keyboard Protection) Jean-Jacques Halans (Aug 22)
- Re: MD5 Password encoding (was: Defeating Citi-Bank Virtual Keyboard Protection) Serban Ghita (Aug 23)
- Re: MD5 Password encoding (was: Defeating Citi-Bank Virtual Keyboard Protection) Noam Eppel (Aug 16)
- Re: RE: MD5 Password encoding (was: Defeating Citi-Bank Virtual Keyboard Protection) mike (Aug 17)