I wont be using this method anymore to secure passwords

http://blogs.computerworld.com/ssl_cert_hash_hacked_on_ps3_farm

I can't get over the PS3 farm though.. haha I mean hey at least the PS3 is getting some use right?

MD5 has known to be insecure for a long time. You should never have used it for hashing passwords. In fact, no prudent CA worth their salt would use it for certificates. Use SHA1 at least.

Gosh, this has been out for almost a week now.

Yes, it's been known to be insecure for a long time, about ten years if I recall right, and there have been various theoretical or highly controlled/limited attacks, but this [if I'm not mistaken] is the first time it's been shown to be hacked in the wild, as it were.

Also, within a day or so of that article coming out, Verisign, Rapidfax, and I believe a few others dropped md5 support and updated their certs to use SHA-1. Wish they'd at least gone for SHA-2, as SHA-1's been theoretically vulnerable for nearly as long as MD5. But still nice to see a bit of due diligence.

But yes, the 200 PS3 rack amused me greatly.

vBulletin uses MD5

That's because vBulletin sucks.

Also, hashing for passwords is a little different because properly hashed passwords also have random salts applied to them. vB's probably doesn't, though.

Because it sucks.

No, VB uses 3x hash with salt, I believe. It was one of the first widely used software that tried to address MD5 weaknesses, if I recall.

Not that VB doesn't suck otherwise.

3x hash with what algorithm?

md5(md5(md5('password')) . salt) or something.

Given that collisions do happen with md5, surely repeating the process reduces the number of possible hashes? Do it enough times and you might end up with all passwords having the same hash.

I use static salts + dynamic salts + sha1 now. Stopped using md5 when I found out it had been cracked (which was a while ago).

static salt == in the source. dynamic salt == based on something that can be generated the same way when the user enters their pass any time. I would use a username usually. sha1 == not cracked yet.

You're such a little know-it-all, when in fact you don't

Yeah it is something like that, the random 3 character salt is saved right in each of the users table column.

Here's some clarifications:

A. vBulletin does indeed use MD5.
B. The function for hashing is md5(md5(pass) . salt)
C. The salt is randomly generated on user registration, including punctuation and symbols.
D. vBulletin makes use of the "strikes" system meaning that unless you have direct access to the hashes themselves, you cannot run a typical bruteforcing program on it. Of course, if the database is compromised and they have access to the hashes, then you have bigger problems than people's passwords being cracked.

emowned

This part made me laugh.

You're just pissy because I told you hand-coding PHP is stupid. Which it is.

Sorry I wasn't trying to be rude.

anyway how else are you supposed to code PHP? by feet?

Nothing in this thread makes any sense to me.

Psh, I hacked MD5 with just one PS3.

Any hash algorithm is vulnerable to dictionary attacks if you don't use a salt.

It's difficult to prove that any hashing algorithm is strong. People used to think that MD5 was secure, and they used to (and evidently still do) believe that SHA1 is secure 'enough'. It's not, but it's expensive and difficult to prove that any cryptographic algorithm is secure, hardened, and adequately asymmetrical.

It's also pretty difficult to warrant a change when you have organizations like the NSA trying to push the world to adopt cryptographic algorithms that have back doors in them.

All the software I write nowadays makes use of AES256 encrypted SHA512 hashes in a database. Nearly all sensitive data in the database, including the username, salt, email address, etc would first have to be decrypted by finding my AES256 key which is located in a non-web location, with incredibly reduced permissions, keeping the key away from the source code. This way, if for some reason the hacker does manage to dump the database (by exploiting a flaw in the software to execute arbitrary SQL usually), OR attempts to modify a user using the SQL, it will be completely useless. Dumping it results in absolutely useless information, and attempting to modify a user results in the server attempting to decrypt it only to have the falsified information completely destroyed in the process.

Yeah it's overkill and it's probably too resource intensive for larger projects, but it's not hard to implement and I figure, if you can, why shouldn't you?

s'okay love you too baby


By using existing frameworks. PHP is a cluster**** of a language, writing anything but simple websites (e.g. basic templating) without some kind of framework will take a lot longer, even when you factor in the time it takes to learn a framework (which isn't much).

I beat MG4 on my PS3






oh dat nut wat weer talkin bout?

Existing frameworks will only take you so far, yes I use existing frameworks. I also build my own. But when I am selling my services, and my product to a company with my name on it. I build it so that they have my word that my product is what they paid for. Not someone elses work that may or may not function properly.

I mean, everyone who writes a Hello World script thinks they are a PHP developer so there are A LOT of **** frameworks out there.

That's why you use reliable frameworks... When I write .NET stuff for a client, the fact that the framework behind it was written by Microsoft doesn't make it any less my work. It's pointless to reinvent the wheel.

Ok well, I mean yeah there is PEAR and that is really all I use.. but when I say "Framework" that isn't what I was referring too.. i'm talking about "framework" as in, Joomla, or any other already built PHP app, or class library's..

Is there a framework you would personally endorse? Asking as someone who keeps meaning to pick up php, but is slightly repelled by the mess.

I'm referring to MVC frameworks like CodeIgnitor or CakePHP. These are not big CM systems like Joomla. They are designed for rapid web application development and are very mature and stable. I've always heard CodeIgnitor was better, mainly because of CakePHP's lack of documentation. Supposedly it got a lot better a few months ago.

An even better option would be to not use PHP at all. Python-based frameworks like Pylons or Django are excellent options. Ruby on Rails is good for small to medium sized applications but doesn't scale well beyond that. ASP.NET scales extremely well, and the new MVC framework for it is very nice. That ties you to Windows or Apache + mod_mono, however.

CodeIgnitor, CakePHP, Rails, Django.

I'd choose Django but it does require Python, it's amazing how much you can get done in a short amount of time though.

I've heard nothing but good things about CakePHP, and I hear that the poor documentation is made up for by helpful forums, but these aren't people I've worked with or seen their work, so I don't know.

I'm with ya buddy.
The question is: why did we even click? =s
(the PS3 bit was amusing though)

I downloaded CodeIgniter and it's not bad, good documentation and easy to work with.

CakePHP is probably the worst framework out of the bunch. Never, ever, ever, ever use it. CodeIgniter is much better.

My only issue so far with this MVC Frameworks, even though they try really hard to make a small foot print, the script still take longer to load than my own personal framework, it may be fractions of a second. But on a live server with hundreds of people on at once would make it seem a bit longer.

That's why they all tend to come with built in caching functionality. There a lot of tricks you can use to optimise loading times, but there's no point worrying about it until you have performance issues - instead use your time developing code unique to your project rather than reinventing the wheel.

The problem with PHP (like others) is that there is a million ways to do 1 thing. One persons function that does something another person function does, may or may not be better than the other.

I mean, why does Chevy make a car if Ford makes one..

Ultimately the framework you choose is less about which is technically better, but about which allows you to be most productive.

Of course, sometimes a framework will force you into bad practices, a lot of big enterprisey ones in the Java and .NET worlds are like this. But at the end of the day it's down to what you feel comfortable programming with.

Algorithmic differences are absolutely fine and you'll encounter them in any programming language. The problem with PHP is the fact that it's loaded with synonyms.

Which ones are you talking about for Java and .NET? I've touched J2EE a bit and found it overly complicated, although it's supposed to be scalable. I don't think I've used any .NET frameworks other than the official MVC framework, which is just wonderful.