tutorials - Page 2

scrowler · 11-23-2004

Quote:

You can use this method to protect admin areas and member only pages, but it has limited reliability, so I do not recommend using this function to protect administration areas for big businesses or important websites. It is, however, more than sufficient for small businesses and for personal use.

you may be correct, but in the tutorial i specifically noted that it's not completely sure. certainly you will not get 2 different hashs from the same string, but i dont know about getting 2 hashs the same from different strings

an issue i was thinking about the other day is what happens if you md5 a string that is more than 32 characters long?

anyway, its just a small, easy way to encrypt things, im sure noone will be brute forcing someone's personal website

BlodoPKNZ · 11-23-2004

Yes but take a look at a site like biorust. Mog says there are hundreds of spoiled kids trying to hack it every month init. Well biorust isnt a corporate website so if Mog used md5 it would make this much easier to crack the password to i.e. biorusts admin panel? What i am saying is that i think the usage of md5 actually creates a vulnerability in the system. Sure it eliminates capturing the $_POST variable while php is processing the form (if its possible) but what about the potential 2 strings containing the same hash? Arent there any workarounds to avoid this?

Order · 11-23-2004

md5 will encrypt in the same way, so you check for equality in the two hashes. Recently someone did find a way to break md5 hashes, but that does not mean it is a major vulnerability.

In one project of mine, where I was interfacing PHP with Visual Basic, I used md5 to match boolean values. Worked all the time, I would not consider it a big problem, until someone is able to decrypt or alter a md5 during its creation..

scrowler · 11-24-2004

Quote:

Originally Posted by BlodoPKNZ

Yes but take a look at a site like biorust. Mog says there are hundreds of spoiled kids trying to hack it every month init. Well biorust isnt a corporate website so if Mog used md5 it would make this much easier to crack the password to i.e. biorusts admin panel? What i am saying is that i think the usage of md5 actually creates a vulnerability in the system. Sure it eliminates capturing the $_POST variable while php is processing the form (if its possible) but what about the potential 2 strings containing the same hash? Arent there any workarounds to avoid this?

there are extra things you can do to secure your login page, im sure m0g wouldn'tve written admin panels that were simply authenticated

ya never know though, i could be wrong