Author Topic: function MD5String(Str:String):String;  (Read 1048 times)

0 Members and 1 Guest are viewing this topic.

Offline nub

  • Major
  • *
  • Posts: 56
function MD5String(Str:String):String;
« on: February 23, 2008, 08:22:58 pm »
How is this function supposed to make passwords more secure? Could someone give a use case please?
Можно зарезать, украсть и всё-таки быть счастливым...

Offline chutem

  • Veteran
  • *****
  • Posts: 1119
Re: function MD5String(Str:String):String;
« Reply #1 on: February 23, 2008, 08:26:30 pm »
I have no idea.

Chrisgbk to the rescue!
1NK3FbdNtH6jNH4dc1fzuvd4ruVdMQABvs

Offline EnEsCe

  • Retired Soldat Developer
  • Flamebow Warrior
  • ******
  • Posts: 3101
  • http://enesce.com/
    • [eC] Official Website
Re: function MD5String(Str:String):String;
« Reply #2 on: February 23, 2008, 08:48:09 pm »
MD5 strings can not be reversed. Meaning if you encrypt a user's password as a MD5 at the exact time they register/input their password, any hacker that comes along and steals your user database wont be able to steal anyones password because they are encrypted.

Offline chutem

  • Veteran
  • *****
  • Posts: 1119
Re: function MD5String(Str:String):String;
« Reply #3 on: February 23, 2008, 08:59:34 pm »
And how does the script know that the password is right when entered to get in later?

Yes, I am a nub at coding
1NK3FbdNtH6jNH4dc1fzuvd4ruVdMQABvs

Offline EnEsCe

  • Retired Soldat Developer
  • Flamebow Warrior
  • ******
  • Posts: 3101
  • http://enesce.com/
    • [eC] Official Website
Re: function MD5String(Str:String):String;
« Reply #4 on: February 23, 2008, 09:01:41 pm »
Obviously you encrypt what they entered later and see if it matches the original. Thats just general logic....

Offline chutem

  • Veteran
  • *****
  • Posts: 1119
Re: function MD5String(Str:String):String;
« Reply #5 on: February 23, 2008, 09:20:44 pm »
Ohhhhhhhhh, i'm being really stupid today...
1NK3FbdNtH6jNH4dc1fzuvd4ruVdMQABvs

Offline nub

  • Major
  • *
  • Posts: 56
Re: function MD5String(Str:String):String;
« Reply #6 on: February 24, 2008, 11:12:32 am »
Hmm, my perl script needs only a week to brute force a password with a length of 6 characters with a base of 62 characters and there are online databases. So I recommend forcing long passwords =)
« Last Edit: February 24, 2008, 11:26:07 am by nub »
Можно зарезать, украсть и всё-таки быть счастливым...

Offline TheToast

  • Major
  • *
  • Posts: 52
Re: function MD5String(Str:String):String;
« Reply #7 on: February 24, 2008, 11:49:38 am »
You can avoid online Databases by using a little bit salt

Offline nub

  • Major
  • *
  • Posts: 56
Re: function MD5String(Str:String):String;
« Reply #8 on: February 24, 2008, 01:00:56 pm »
I know, but this information should actually go to the script documentation page, so that people don't think that they are hyper secure just by computing an md5sum.
Можно зарезать, украсть и всё-таки быть счастливым...

Offline chrisgbk

  • Moderator
  • Veteran
  • *****
  • Posts: 1739
Re: function MD5String(Str:String):String;
« Reply #9 on: February 24, 2008, 07:34:22 pm »
Hmm, my perl script needs only a week to brute force a password with a length of 6 characters with a base of 62 characters and there are online databases. So I recommend forcing long passwords =)

There are precomputed hashes available for every password up to length 9 or 10 using every typable character on a keyboard (around 100 characters), and longer passwords can often be bruteforced more efficiently using a dictionary based attack, since many people often use a combination of words for passwords.

ie: I use a password of "turkeygobble", which, with a small alphabet of 26 characters and a length of 12 has 95,428,956,661,682,176 possible permutations. However, if I have a small dictionary of 1,000,000 words, and both of the words used in my password are in my dictionary, it's guaranteed I'll brute force the password in only 1,000,001,000,000 iterations. Which is only about 0.001% of the work of bruteforcing the password on a character by character basis, IF we knew it was 12 characters long beforehand. If we didn't, there would be about 4,000,000,000,000,000 more possible passwords to try, which is still more than the possible number of passwords with our dictionary.

The best bet is to force people to use symbols (!@# etc) to simultaneously reduce the number of dictionary matches (and dictionaries nowadays contain words that have been turned into 1337-speak, so try not to use those and think you are safe)and increase the complexity, and to also enforce a minimum of ie: 12 characters.

Note that even with a small alphabet of only 26 characters, as long as the password is long and doesn't contain dictionary words or patterns(is random), it's still very secure.

A salt is a very good idea as well, so long as it's well chosen. A very good salt can be generated by pre-computing the md5 of a simple word. Then, combining that md5 with the password the user entered, and md5'ing the entire thing will result in a very secure md5 that will not be bruteforced, so long as the salt you used remains a secret. In the case where you can't expect the salt to remain secret, md5'ing the password twice and saving that is recommended, as it increases the amount of work that needs to be done per password.
« Last Edit: February 24, 2008, 07:37:54 pm by chrisgbk »