Ok, I didn't really get to look at the source for long.. but according to the outline, the md5 hash set up is of the username + secret var.... well, say for some reason someoen else got a members password (this can hapen by this person telling them, guessign right, or if they logged on to the server on the comp)... well, the password isn't even needed all you need is the hash for that matter (making it just a little bit easier to get)... ok, I bet thats a little confusing, but I'll go on... now that someone has the guys password, he can now get the hash. So, this person finds out and changes his password.... BUT the problem is, the hash is still the same! So no matter how many times he changes the password, the other guy can still get in.
Also, it wouldn't take too long to program something that just kept going through every possible var for the secret var till they got a match. When they do get a match, they will have complete access to all accounts.
-Bob Monteverde
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
well, in that case,
isn't it possible to md5 hash the username, secret word and the password hash?
So when someone changes his password the hash changes too...
Correct me if I'm wrong...
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
trebel, no since then you would have to check password in the Database, which defies the point. The problems above would be fixed though, if this was done in sessions, which are MUCH harder to spoof.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Ok, I didn't really get to look at the source for long.. but according to the outline, the md5 hash set up is of the username + secret var.... well, say for some reason someoen else got a members password (this can hapen by this person telling them, guessign right, or if they logged on to the server on the comp)... well, the password isn't even needed all you need is the hash for that matter (making it just a little bit easier to get)... ok, I bet thats a little confusing, but I'll go on... now that someone has the guys password, he can now get the hash. So, this person finds out and changes his password.... BUT the problem is, the hash is still the same! So no matter how many times he changes the password, the other guy can still get in.
Also, it wouldn't take too long to program something that just kept going through every possible var for the secret var till they got a match. When they do get a match, they will have complete access to all accounts.
-Bob Monteverde
Interesting! This will have to be researched as it's obviously VERY important.
Anyone else have an opinion on the matter?
well, in that case,
isn't it possible to md5 hash the username, secret word and the password hash?
So when someone changes his password the hash changes too...
Correct me if I'm wrong...
trebel, no since then you would have to check password in the Database, which defies the point. The problems above would be fixed though, if this was done in sessions, which are MUCH harder to spoof.