[thelist] Re: best way to check for valid user/password in PHP

Kelly Hallman khallman at wrack.org
Thu Jan 9 16:20:01 CST 2003


On Thu, 9 Jan 2003, Liam Delahunty wrote:
> > md5 is a one-way hash because there is no feasible way to determine
> > the original input that created the hash, and it would be equally
> > difficult to find two strings that resulted in the same hash.  This
> > way, if someone got ahold of your username/password data, the hashed
> > passwords would be useless.
>
> md5 is susceptible to dictionary attacks. I have a database of many
> common passwords and the md5, it's fairly easy to put in a hash and look
> up it's real value. However, it's still a lot better than..plain text.

To look up hashes to find the password, you'd still need to know what the
hash for the account is.  You wouldn't know the hash, unless you gained
the username/hashed password data.  At that point, there's already a big
problem (and a much bigger problem, if the passwords were plaintext).

You could also take your database of "common passwords" and slam the
server with them, if you knew valid usernames to try, to attempt to gain
access to an account that might have one of these common passwords.

I was just suggesting this method as an alternative to storing plain
passwords, and I was (hopefully) careful to avoid painting it as the
end-all-be-all security measure for password data.  In my opinion, it's
still a pretty good measure of security.  Better, feasible suggestions?

If you've got the time and the desire, there's always some way or another
to circumvent most security measures.

> Don't get me started on clients with so called "security" requirements that
> then just go and log in insecurely, use ftp[1], or use admin/root level
> accounts to get email unsecured! Especially in webmail! Argh!

I feel your pain...!

--
Kelly Hallman
http://wrack.org/




More information about the thelist mailing list