A Cambridge University researcher successfully used Google to unearth a password used by an attacker to compromise its security blog. The attacker created an account in Wordpress when he attacked the Light the Blue Touch Paper blog, the online journal of the Computer Laboratory at Cambridge University. Wordpress stores passwords …
...Those lost government CDs didn't use md5s
MD5 is for hashing!
When will software developers realise that a simple MD5 on a password is insecure and pointless? Anyone can obtain a database of MD5 results to quickly get a working password to an application, which in turn might lead to the same username and password being used on other sites.
Wordpress, phpBB and various other applications stick with a pointless hash without a salt. Surely the developers should've realised this by now?
re MD5 is for hashing
Im not sure how you would obtain the md5 hashes for a specific wordpress/phpbb install unless there is a bigger security problem on that server, or you are the admin, but anyway phpBB3 does now use a salt.
"Im not sure how you would obtain the md5 hashes for a specific wordpress/phpbb install unless there is a bigger security problem on that server, or you are the admin"
FFS, Did you READ the story?? Here's the first bloody line:
"A Cambridge University researcher successfully used Google to unearth a password used by an attacker to compromise its security blog."
So yes, he's the bloody admin!
Or you can go on Arin or RIpe and change all the insecure auth owners details to rude words.
The idea of using a nice free tool to check if my password is buggered seems a bit mental.
Oh look, my password is fine, nice website only has my password and my IP address. quick google later......
Key as filename
"I've even written code which does the same. When I needed to store a file, indexed by a key, a simple option is to make the filename the key's MD5 hash."
You'd have to be pretty retarded to ever use the password as the key you store info by though, let alone storing it in a web accessible way. After all, google can only index that which appears openly on the web.
To combine those two fatal flaws with the storage of plain text passwords even though you have a matching hash should be enough to get you marked as a danger to all mankind.
If you must use a key as a filename, it should be either a unique username or ID (which, for the benefit of Steven Murdoch, are 100% resistant to accidental collisions). Password hashes definately taste better with salt. There is no excuse for ever storing plain text passwords, anywhere.
As for wordpress, phpBB, VB and other big name web software, I'm always of the opinion that if it's worth doing then it's worth doing yourself. They've all proven repeatedly that they know bugger all about security, and their code should never be trusted without some serious modifications.
SHA512 your asses!
Why would anyone use MD5 for anything in this day and age? Its akin to building a Quad Core modern computer with four Gig of RAM and then using a 170KB floppy disk drive from a Commodore for storage.
SHA512 generates 88 bytes which can be padded using your salt key and then stored using token-stripped Base64 for portability and size. Most all modern technologies can support it.
Wow! What a surprise
Sounds just like the invention of the infinite probability drive (Douglas Adams).
Google Hacking - Recommended Reading
In my web applications, I use a 'custom' hashing method which combines a user salt, a server salt, hashing the password forwards, backwards, you name it, combining these all together and hashing again.
To be even more protected against accidental collisions, you can implement 2 different hashing algorithms (different server salts, using SHA instead of MD5, or both, etc), store both results and check against both of them.
Paranoid? Maybe... but I find it ridiculous that people are just using a simple md5 hash of the password and thinking that is secure!
- Bugger the jetpack, where's my 21st-century Psion?
- Something for the Weekend, Sir? Why can’t I walk past Maplin without buying stuff I don’t need?
- Review 'Mommy got me an UltraVibe Pleasure 2000 for Xmas!' South Park: Stick of Truth
- The land of Milk and Sammy: Free music app touted by Samsung
- Privacy warriors lob sueball at Facebook buyout of WhatsApp