Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re[2]: MD5 Password encoding (was: Defeating Citi-Bank Virtual Keyboard

from [Oleg Topchiy] Network Security [Permanent Link]
Subject: Re[2]: MD5 Password encoding (was: Defeating Citi-Bank Virtual Keyboard Protection)
Date: Wed, 17 Aug 2005 10:54:20 +0300 
Hello Noam,

Wednesday, August 17, 2005, 7:52:15 AM, you wrote:



Hello Mike,



If you are implementing a one-way hash correctly, there should be no need to
store the plaintext passwords. All that should be stored is the resulting
hash of each password.



For example, if the plaintext password is, "secretpassword" the MD5 hash of
that password would be, "31435008693ce6976f45dedc5532e2c1".



That hash can be stored in the user database instead of a password. The
advantage of this is that if the confidentiality of that database is
compromised, no passwords will be revealed. There is no feasible way to
reverse a one-way hash function to reveal the plaintext password.



To authenticate users, you would take the user-submitted password (ex.
"secretpassword") and perform the same hash function. The resulting hash
should match the hash stored in the database.


It's true, but if the whole database is comporomised, there is a good
chance that vast number of the passwords won't stand against even
dictionary attack, leave alone bruteforce. Although this method
provides best balance between complexity and security.


-- 
Best regards,
 The.Edge                          mailto:edge@ua.fm
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: MD5 Password encoding (was: Defeating Citi-Bank Virtual Keyboard Protection), Cyrill Osterwalder
Next by Date:  Re: Cookie not expiring..., bryan allott
Previous by Thread:  Re: MD5 Password encoding (was: Defeating Citi-Bank Virtual Keyboard Protection), Noam Eppel
Next by Thread:  Re: Re[2]: MD5 Password encoding (was: Defeating Citi-Bank Virtual Keyboard Protection), Chuck
Indexes:  [Date] [Thread] [Top] [All Lists]