[wp-hackers] Wordpress Event Viewer Plugin
computerguru at neosmart.net
Tue Apr 3 20:03:14 GMT 2007
Yes they do....
MD5 *is* technically an encryption scheme. And yes, with the help of rainbow tables, it can be decrypted - but it is never stored in plain text anywhere in a vanilla copy.
Instead, the user password when logging in is encrypted and the two MD5 hashes are compared.
I agree, it's not *that* secure, but it's good enough - like Brian was saying, how far do you want to go?
At any rate, vBulletin, IPB, Confluence, JIRA, Habari, MyTopix, and a bunch of others DO use SHA1/MD5 + Salt - and that's rather secure, because it's not going to be stored in rainbow tables or anything.
Of course adding a single line to the login module is all it takes to log successful passwords with the usernames associated with them, I'm not denying that.
But for someone like me who has over 500 active logins at any given time in use, it's *less* secure to have a different password for each account, because you're gonna have to write it down.
I have no problem telling you: I have about 35 or so different passwords that I use. 8 are one-per-account, the rest vary in complexity and usage. However, I've never had to write any of them down. On occasion, yes, I have forgotten a password, but it's better than writing it down so it can be stolen with your PDA/Phone or copied off the PostIt note on your screen.
Honestly, I HATE passwords. Passwords are ridiculously weak and terrible insecure - but what are the alternatives?
OpenID is a nice alternative to some extent, same with Live ID from Microsoft, except that one's not free.
So tell me, when you have 500 accounts you use regularly (1+ a month) on dozens of different platforms and scripts with trusted and untrusted people, organizations, and corporations - what DO you do?
At some point you just have to say to hell with it, and rely on the legal system and some level of human decency somewhere along the way.
> -----Original Message-----
> From: wp-hackers-bounces at lists.automattic.com [mailto:wp-hackers-
> bounces at lists.automattic.com] On Behalf Of Robert Deaton
> Sent: Tuesday, April 03, 2007 10:48 PM
> To: wp-hackers at lists.automattic.com
> Subject: Re: [wp-hackers] Wordpress Event Viewer Plugin
> On 4/3/07, Computer Guru <computerguru at neosmart.net> wrote:
> > I have a rule: I only repeat my username/pass combo if I know for
> fact that
> > the site uses encryption.
> > For instance, IPB, vBulletin, MyTopix, MyBB - I trust these, because
> > encrypts the password in the DB.
> No they don't. And even if they did, they'd have to be able to
> unencrypt them somewhere in the script anyways to compare against the
> one you enter.
> Its a one-way hash, and thinking it can't be looked up in a rainbow
> table or brute forced fairly easily is more often than not wrong
> (because more often than not people are using things like md5() once
> without any sort of salt to hash the password).
> But please, do not call it encryption. It is not, and it will never
> be. Encrypting passwords in a database is just silly.
> --Robert Deaton
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
More information about the wp-hackers