🏒 Lucian Marin I open sourced the last two of my personal projects: notes.lucianmarin.com at github.com/lucianm... and photos.lucianmarin... at github.com/lucianm... -- enjoy! You can easily install them on any shared hosted service.
Martijn Always good to see personal projects get open-sourced! I recently did the same for a small wiki thing I run on my server github.com/Zegnat/... The line "generated md5 of your password" gave me a small heart attack though
7y, 27w 9 replies
🏒 Lucian Marin That's just a typo, I fixed it.
7y, 27w 5 replies
Martijn My heart attack was related to md5, not any possible typos.
7y, 27w 4 replies
🏒 Lucian Marin Weak passwords might be the problem, not the hashing algorithm. There aren't that many hashing algorithms available in PHP 5.2.
7y, 27w 3 replies
Martijn Yes and no. MD5 is a hashing algorithm, not a key derivation function. Using it for passwords is (basically) wrong no matter what. MD5 is also no longer considered collision proof and people don't need to find your strong password, just something that results in the same hash. That combined wth a consumer graphics card doing 200 million hashes an hour... MD5 and SHA1 are both considered cryptographically broken. PBKDF2 is relatively easily to implement and I think is still acceptable even with MD5/SHA1 hashing algorithms (though don't quote me on it). Probably the best you can do on PHP 5.2 unless you include some bigger library.
7y, 27w 2 replies
🏒 Lucian Marin Does it really matter what algorithm is used? It could be stored in plain text since it's part of a compiled .php file.
7y, 27w 1 reply
Login or register your account to reply
Martijn There is very little difference between MD5 and plain text, is what I was trying to say. So yes, you might as well store plain text. The question then becomes: why didn't you do that in the first place? The usual advice for key files (which a file containing the plain text password would be) is to put them outside of the web root. Remember that, theoretically, everyone has read rights in your web root. There are cases of CGI/PHP deamons failing and servers sending PHP files as plain text to browsers, which is what you need to get around.
7y, 27w reply