Enigma Group's Hacking Forum
User Info
Welcome, Guest. Please login or register.
May 18, 2012, 07:31:00 AM

Login with username, password and session length
Search:     Advanced search
News
Think you can hack? Test your knowledge on Enigma Group's 170+ missions.
Forum Stats
33910 Posts in 4170 Topics by 38418 Members
Latest Member: cbbyfhxcax
Enigma Group's Hacking Forum  |  General  |  Cheap Plugs  |  The State of Password Hashing - Advice?
« previous next »
Pages: [1] Print
Author Topic: The State of Password Hashing - Advice?  (Read 398 times)
tronikz
Newbie
*
Offline Offline

Posts: 18
  • Respect: 0

    		•
    « on: August 14, 2011, 12:45:51 AM »
    0
    I'm posting this in Cheap Plugs because it's mainly a link to my own website, even though I'm asking for advice.

    I've been working on a web page that explains why websites that limit passwords to really short lengths are probably storing everyone's passwords in plain text. Here it is:

    Code: [Select]
    https://defuse.ca/passwordrestrictions.htm

    I'm looking for advice in a few areas.

    First, mysql_real_escape_string is so easy to use, I really can't think of a reason why some websites won't allow certain characters in passwords (even when they aren't hashing). Do you think my argument about "lazy input sanitization" is valid, or is there some other reason I'm not thinking of. I know that banks probably have legacy systems that will only accept mainframe style passwords, but if a website is backed by MySQL (or similar), what other reason would they have to disallow the use of certain characters? For example, cnet.com says:

    Quote
    Please use only alphanumeric characters, underscores "_", and dashes "-"

    Second, let me know if there is anything else you would like me to cover, and let me know of any areas that are confusing or could be expanded.

    Third, any suggestions for the layout? I'm happy with the logo and navbar (good enough), but everything in the white box looks like shit to me, so suggestions are welcome.

    I should probably explain why I'm writing this page in the first place.

    The only thing that storing passwords in the clear does is give cyber-criminals (NOT hackers, cyber-criminals in organized cybercrime) monetary incentive to hack shit for profit. Most of these passwords are accessible with simple SQLi attacks. To me, this is just like credit card fraud -- it gives mindless 13 year olds a way to compromise the security of hundreds of thousands of people, no effort required. I haven't been here long enough to judge where this community is on the whitehat-blackhat scale, but no matter what color hat you wear, I think you can agree that mass insecurity is a bad thing, especially when it's so easily exploited for profit.

    Thanks in advance for any ideas.
    « Last Edit: August 21, 2011, 10:43:16 AM by tronikz » Logged
    Strap on your pseudorandom number generators and head on into the future!
    RatHat
    Full Member
    ***
    Offline Offline

    Posts: 199
  • Respect: 0


    • proof ya!
    « Reply #1 on: August 16, 2011, 03:38:05 AM »
    0
    Quote from: tronikz on August 14, 2011, 12:45:51 AM

    [snip...]

    Quote
    Please use only alphanumeric characters, underscores "_", and dashes "-"

    [snip...]


    They limit the charset for the passwords AND give it away to possible attackers?  ::) 
    "stupid" is clearly an understatement...

    btw, I like your conclusions from password limitations to storing flaws.
    Logged
    Pages: [1] Print 
    « previous next »
     
    Find Us on Facebook! Find us at Facebook! - Follow Us! Follow us with Twitter! - Make sure to Stumble us! Stumble upon us! - Subscribe! Subscribe to our feed!

    Information

    Hacking Missions

    Code Resources

    Review enigmagroup.org on alexa.com

    ©Enigma Technology Group Inc. 2005-2012