this thread owns in so many levels... haha i read it from pst * through now lol haha this is great
Printable View
this thread owns in so many levels... haha i read it from pst * through now lol haha this is great
Hehe, this thread does bring back memories. I thought I actually had a chance against the powers of SyntaX******. They don't call him that just for fun, you know :D
EDIT: Just read through SyntaX's code again, and realized that I could actually 'read' most of the code, not just stare at it in amazement like I did the last time I opened this thread. :)
[quote]Just read through SyntaX's code again, and realized that I could actually 'read' most of the code, not just stare at it in amazement like I did the last time I opened this thread.[/quote]
Well I never had any formal programming training. I just do it for the challenge when I have some extra time. Thanks to JayT I actually have started commenting all of my code. Now others can actually Read/Use the code I write. Wow, no more headaches. Go figure!
[QUOTE=SyntaX******;27*6*]Well I never had any formal programming training. I just do it for the challenge when I have some extra time. Thanks to JayT I actually have started commenting all of my code. Now others can actually Read/Use the code I write. Wow, no more headaches. Go figure![/QUOTE]
I didn't mean my last post in this sense.
What I meant was, before I really didn't know alot of PHP so it was just a bunch of code, but now after learning a good deal of PHP I can actually understand most of the code. :)
Security by obscurity is OK sometimes.
Securing login data by using SHA* or MD5 is good.
If done carefully, brute force guessing can be essentially neutralized.
For example, code like
[code]
md5(sha*(sha*(md5(md5(sha*("aa"))))))
[/code]
seems excessive.
A simpler way is simply to use an arbitrary, but consistent, rule to modify the hash in a way known ONLY to you and no other. Without this secret info, no amount of ordinary brute force will crack the hash in any practical time period. Mission accomplished.
[code]
$hash = md5("John");
[/code]
When I execute this, it returns
$hash = "6*40*aa*fd47d4a5**2de2*cbf5*a*6f"
Instead of leaving it that way, you could apply a 'private rule', such as swapping the **th character with the final character of the hash string before storing it.
In the above example
$hash = "6*40*aa*fd47d4a5**2de2*cbf5*a*6f"
would become:
"6*40*aa*fd47f4a5**2de2*cbf5*a*6d"
Brute force will NOT find 'John' from this hash.
The **th character 'f' was swapped with the final character 'd' to break the brute force method.
Before comparing, we repeat the swap, to restore the hash to normal.
ANY SIMPLE RULE WILL DO
It can be ANY simple convenient rule that transparently alters the hash from its original sequence but can be easily undone to restore the original hash.
To use the hash, simply reverse the process before comparing it. If someone stole your password list encrypted in this manner, would it simply occur to them to swap the **th and the final characters prior to attempting to crack it by brute force? Not likely.
The change is essentially invisible and without that special prior knowledge of the required minor change, nobody is likely to crack the hash. It's like the secret ingredient your mum uses in a recipe. Even if Russian spies steal her recipe, they still don't know about the secret ingredient not mentioned and will not get exactly the same result without it.
This is a case where security by obscurity is OK, very simple and quite effective.
The programming of this method is not difficult and its power and effectiveness lies in making sure that ONLY YOU know the secret of the hash.
I do the same with PGP encryption too. I have to change * characters before PGP can be decrypted. Knowing the pass phrase is not enough in itself if you don't know which * characters to change first prior to decryption.
Knowledge is power, and secret knowledge is even greater power.
While this is a good idea JayT, applying a salt to a password is just as effective, and IMO easier to implement. But nevertheless, it's a cool idea and it's original as far as I know.
[QUOTE=Moonbat;27***]While this is a good idea JayT, applying a salt to a password is just as effective, and IMO easier to implement. But nevertheless, it's a cool idea and it's original as far as I know.[/QUOTE]
The doctor told me to cut down on salt.
LOL
However, I don't think that salting a hash is any simpler to program than simply swapping 2 characters within a hash string.
That was a simple method I used with PGP before I heard of salting. One or two secretely altered characters and PGP and several other kinds of text-based encryptions are effectively immunized against brute force.
So simple, a Geico Salesman can do it!
Yadayadayada
:)